[SOLVED] Sending a ' in query causes an error

burntheblobs · November 29, 2008

When I send a variable through mysql that contains a ' (the variable being inserted points to text that contains the ' character) it creates an error in the query. Is there any way around this?

corbin · November 29, 2008

http://php.net/mysql_real_escape

You might want to read up on sql injection.

burntheblobs · November 29, 2008

Thank you for the link. I didn't even think about that kind of security flaw. I now have this in my code and for some reason it is bad sql syntax and it can't even execute the query now no matter what.

'sprintf('%s',mysqli_real_escape_string($_POST[Comment]))'

Mchl · November 29, 2008

Show us some more code.

burntheblobs · November 30, 2008

		$query = "INSERT INTO post (Id,comment,first,second,third,posterIp,postDate)
							VALUES ('".mysqli_insert_id($cxn)."','sprintf('%s',mysqli_real_escape_string($_POST[Comment]))','$_POST[firstRating]',
									'$_POST[secondRating]','$_POST[thirdRating]','".getIp()."',
									'".date("Y/m/d")."')";

str8thug843 · November 30, 2008

$comment = mysql_real_escape_string($_POST['firstRating']);
$firstrating = $_POST['firstRating'];
$secondrating = $_POST['secondRating'];

.. ect ect

then in your values ('$comment', ' $firstrating', '$secondrating')

.. ect

Sign In

[SOLVED] Sending a ' in query causes an error

Recommended Posts

burntheblobs

Link to comment

Share on other sites

corbin

Link to comment

Share on other sites

burntheblobs

Link to comment

Share on other sites

Mchl

Link to comment

Share on other sites

burntheblobs

Link to comment

Share on other sites

str8thug843

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information