Single Quotes Issues in sql query

[krishnakhanna]

Hi,
I have to store the following text in sql

INSERT INTO `rss_data` (`newsurlid`,`newstitle`) VALUES ('95','Special Ghana site for President Obama's visit')You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's visit')' at line 1

I am getting error because of single quotes; how to solve this and replace the single quotes?

[spikeZ]

addslashes()

[AnthonySterling]

addslashes()

Shame on you!

You should be using mysql_real_escape_string().

PHP Code:

<?php
$sSQL = sprintf(
    "INSERT INTO rss_data (newsurlid, newstitle)VALUES(%d, '%s')",
    65,
    mysql_real_escape_string("Special Ghana site for President Obama's visit")
);
?>

[spikeZ]

erm... true


See now this is what happens when you work in OOP more and more!
I haven't written a query like that for along time!

[Linkoroo]

You should definitely use mysql_real_escape_string to prevent sql injection as well.

[Dean C]

addslashes()

Tut tut

http://shiflett.org/blog/2006/jan/ad...-escape-string

[SoulScratch]

Shame on you!

You should be using mysql_real_escape_string().

PHP Code:

<?php
$sSQL = sprintf(
    "INSERT INTO rss_data (newsurlid, newstitle)VALUES(%d, '%s')",
    65,
    mysql_real_escape_string("Special Ghana site for President Obama's visit")
);
?>

I think both of you should be using prepared statements, as they're the least prone to exploits.

[AnthonySterling]

Wouldn't a prepared statement be a little overkill for a one-off query? When do you draw the line and move from a standard query, to prepared statements?

[Dean C]

Wouldn't a prepared statement be a little overkill for a one-off query? When do you draw the line and move from a standard query, to prepared statements?

The MySQL manual discusses this is in a lot of detail

[AnthonySterling]

Thanks Dean, off for a read.