Apostrophe in URL not working

[savithananda]

Hi ,

 

    I have a website which uses apostrophe in merchant names (craig's) and Product name (Fresh goat's).

If I try click on the search pages using these names with apostrophe then it displays the following error.

 

Error: SELECT * FROM merchant WHERE user_name='Major_Craig's_Chutney' && is_active='1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's_Chutney' && is_active='1'' at line 1

 

I tried to add an apostrophe in php file of  merchant search but still it shows up the same error or empty page.

 

 can anyone help me on this????

[cyberRobot]

Since the single quote appears in the middle of a singled-quoted string, you need to escape the value. How is the query being built?

 

For what it's worth, more information about escaping values in strings can be found here:

http://dev.mysql.com/doc/refman/5.0/en/string-literals.html

[savithananda]

Hi Guru,

 

Thank you. It works fine in mysql but I am getting problem when the page is loading.In search forms company name passed as parameter in url , that is where I am getting this error. I tried to fix it in search.php file using urlencode but it is not fixed.

 

code used: <?echo urlencode($merchant->company_name);?>

[cyberRobot]

Which database API are you using...MySQL, MySQLi, PDO? Each of these APIs have a way to escape the string for you. MySQL, for example, uses mysql_real_escape_string():

http://php.net/manual/en/function.mysql-real-escape-string.php

 

MySQLi also has a function for escaping strings called mysqli_real_escape_string(). If you are using MySQLi or PDO, you can also use Prepared Statements.

 

 

Side note: urlencode() isn't meant to escape strings for database use. It is meant to prepare a string to be used in a URL. More information can be found here:

http://php.net/manual/en/function.urlencode.php