Handling select unescaped insert data in mysqli

[kutchbhi]

So I have an old bit of database that is inserting data into a table unescaped. Which means quotes are unescaped.

 

Now I have to do a select with a LIKE comparison on the  data. But since the data in the table isn't escaped, I get no match if I escape the data while selecting. 

Basically the LIKE comparison takes place between "Tom Clancy's: Splinter Cell%" and "Tom Clancy's: Splinter Cell%"

 

Now I am not sure how to handle this . Any suggestions please ? 

$escapedTitle = $db_connection->escape_string($title) ;
$res = select_sql('products', "product_name LIKE  '" .$escapedTitle . "%' AND subtitle = '" . $db_connection->escape_string($sub) . "'  LIMIT 1") ;

Thanks

[Ch0cu3r]

mysqli->escape_string() wont convert the quotes to  '  . Something else before hand is mostly likely converting your quotes to its html entity. Maybe try decoding the entities before escaping the title, eg

$escapedTitle = $db_connection->escape_string(html_entity_decode($title, ENT_QUOTES));

[kutchbhi]

Ah thanks man! I should have seen this myself.

 

Meanwhile I came up with a ghetto solution : using preg_replace to convert the ' to ' and then addslashes to escape it. Works but I think I'll stick with html_entity_decode way.

[Ch0cu3r]

 

 

 then addslashes to escape it.

No need for that, mysqi->escape_string will escape the quote anyway.