SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    318
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Single Quotes Issues in sql query

    Hi,
    I have to store the following text in sql

    INSERT INTO `rss_data` (`newsurlid`,`newstitle`) VALUES ('95','Special Ghana site for President Obama's visit')You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's visit')' at line 1

    I am getting error because of single quotes; how to solve this and replace the single quotes?
    http://kkonline.org - Inspiring Life...

  2. #2
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,788
    Mentioned
    151 Post(s)
    Tagged
    3 Thread(s)
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  3. #3
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by spikeZ View Post


    Shame on you!

    You should be using mysql_real_escape_string().

    PHP Code:
    <?php
    $sSQL 
    sprintf(
        
    "INSERT INTO rss_data (newsurlid, newstitle)VALUES(%d, '%s')",
        
    65,
        
    mysql_real_escape_string("Special Ghana site for President Obama's visit")
    );
    ?>
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  4. #4
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,788
    Mentioned
    151 Post(s)
    Tagged
    3 Thread(s)
    erm... true


    See now this is what happens when you work in OOP more and more!
    I haven't written a query like that for along time!
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  5. #5
    SitePoint Enthusiast Linkoroo's Avatar
    Join Date
    Jul 2009
    Location
    linkoroo.com
    Posts
    73
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You should definitely use mysql_real_escape_string to prevent sql injection as well.

  6. #6
    SitePoint Wizard Dean C's Avatar
    Join Date
    Mar 2003
    Location
    England, UK
    Posts
    2,906
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

  7. #7
    Guru in training bronze trophy SoulScratch's Avatar
    Join Date
    Apr 2006
    Location
    Maryland
    Posts
    1,838
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by SilverBulletUK View Post


    Shame on you!

    You should be using mysql_real_escape_string().

    PHP Code:
    <?php
    $sSQL 
    sprintf(
        
    "INSERT INTO rss_data (newsurlid, newstitle)VALUES(%d, '%s')",
        
    65,
        
    mysql_real_escape_string("Special Ghana site for President Obama's visit")
    );
    ?>
    I think both of you should be using prepared statements, as they're the least prone to exploits.
    Cross browser css bugs

    Dan Schulz you will be missed

  8. #8
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Wouldn't a prepared statement be a little overkill for a one-off query? When do you draw the line and move from a standard query, to prepared statements?
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  9. #9
    SitePoint Wizard Dean C's Avatar
    Join Date
    Mar 2003
    Location
    England, UK
    Posts
    2,906
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by SilverBulletUK View Post
    Wouldn't a prepared statement be a little overkill for a one-off query? When do you draw the line and move from a standard query, to prepared statements?
    The MySQL manual discusses this is in a lot of detail

  10. #10
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Thanks Dean, off for a read.

    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •