TRIM quotation marks

[cliftonbazaar]

I have the following code

$sql_statement = "SELECT * FROM toon WHERE ally_code = '".$user['ally_code']."' and name = '".$toons_array[$i][1]."' LIMIT 1";

Which works except if the persons 'name' has quotation marks in it, for example the name of Adam "Danger" Smith doesn't match with Adam Danger Smith.

 

My best attempt was

$sql_statement = "SELECT * FROM toon WHERE ally_code = '".$user['ally_code']."' and trim( both '"' from name) = '".$toons_array[$i][1]."' LIMIT 1";

Any suggestions please?

[requinix]

You've discovered SQL injection. It's not a bug, it's a vulnerability.

 

Learn to use prepared statements instead of putting values directly into the query.

[cliftonbazaar]

Then wouldn't stripping the quotation marks also stop the injection attack?  At the moment it only happens when there are quotation marks around their middle name, this is pulled information from a third party site so I can't stop it on their end.

[mac_gyver]

Then wouldn't stripping the quotation marks also stop the injection attack?

 

 

no. sql can be injected that contains no quotes, for which your proposed method won't protect against.

 

do what was stated and use prepared queries, with place-holders for the data values in the sql query statement, then provide the data values when the query gets executed. this will also greatly simplify your sql query statement, because the php variables, single quotes around the values. and the concatenation dots will be removed.