kutchbhi Posted April 26, 2014 Share Posted April 26, 2014 So I have an old bit of database that is inserting data into a table unescaped. Which means quotes are unescaped. Now I have to do a select with a LIKE comparison on the data. But since the data in the table isn't escaped, I get no match if I escape the data while selecting. Basically the LIKE comparison takes place between "Tom Clancy's: Splinter Cell%" and "Tom Clancy's: Splinter Cell%" Now I am not sure how to handle this . Any suggestions please ? $escapedTitle = $db_connection->escape_string($title) ; $res = select_sql('products', "product_name LIKE '" .$escapedTitle . "%' AND subtitle = '" . $db_connection->escape_string($sub) . "' LIMIT 1") ; Thanks Link to comment https://forums.phpfreaks.com/topic/288035-handling-select-unescaped-insert-data-in-mysqli/ Share on other sites More sharing options...
Ch0cu3r Posted April 26, 2014 Share Posted April 26, 2014 mysqli->escape_string() wont convert the quotes to ' . Something else before hand is mostly likely converting your quotes to its html entity. Maybe try decoding the entities before escaping the title, eg $escapedTitle = $db_connection->escape_string(html_entity_decode($title, ENT_QUOTES)); Link to comment https://forums.phpfreaks.com/topic/288035-handling-select-unescaped-insert-data-in-mysqli/#findComment-1477353 Share on other sites More sharing options...
kutchbhi Posted April 26, 2014 Author Share Posted April 26, 2014 Ah thanks man! I should have seen this myself. Meanwhile I came up with a ghetto solution : using preg_replace to convert the ' to ' and then addslashes to escape it. Works but I think I'll stick with html_entity_decode way. Link to comment https://forums.phpfreaks.com/topic/288035-handling-select-unescaped-insert-data-in-mysqli/#findComment-1477365 Share on other sites More sharing options...
Ch0cu3r Posted April 26, 2014 Share Posted April 26, 2014 then addslashes to escape it. No need for that, mysqi->escape_string will escape the quote anyway. Link to comment https://forums.phpfreaks.com/topic/288035-handling-select-unescaped-insert-data-in-mysqli/#findComment-1477375 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.