PDA

View Full Version : handle single quotes in select statement



coding_begins
10-14-2011, 07:36 PM
how do i handle single quotes in sql query?


" SELECT name from phrase WHERE name='$stitle' ";
this returns an error because the name contains single quotes like this:
Johnson's.

mlseim
10-14-2011, 08:07 PM
Try this ...

$stitle=addslashes($stitle);

" SELECT name from phrase WHERE name='$stitle' ";

The name "Johnson's" must already be in your table column as "Johnson\'s" ??

To remove the slashes,
stripslashes();

Or, sometimes people change the single quote from this: ' to this: `
before they INSERT or UPDATE a MySQL table ...
Then they change it back again when they print it.

coding_begins
10-14-2011, 08:15 PM
Unfortunately, my responsibility does not include how the data is stored in the database or how it is manipulated before it is inserted into the data.
I have access only to select and display them.
So if I apply addslashes($stitle), it should work?

mlseim
10-14-2011, 08:42 PM
Try it and see. I'm not sure if it will work or not.

You should get permission to at least go into the MySQL admin control
and view the table manually. See how that name is stored there.
I'm wondering how they would have been able to store the single quote to begin with.

So try addslashes and see if it find the name (with the single quote).
The worst that will happen is you won't get any query results.

kbluhm
10-14-2011, 08:49 PM
I would suggest using a database-specific escape function, such as mysql_real_escape_string (http://www.php.net/mysql_real_escape_string)().

Also, ensure that magic quotes (http://www.php.net/magicquotes) are disabled, or at least accounted for.