apostrophe in query problem

[New Coder]

Hello All,

 

I am trying to execute a query on my page that retrieves all a members details.

 

$conn = odbc_connect('DBname,'username','password');

      if(!$conn) {exit("Err:Conn"); }

 

$sql = "select * from members where member_id = '$member_id' ";

 

$rs = odbc_exec($conn, $sql);

if( !$rs )

{

exit ("Could not execute Query");

}

 

The member ID is created from their surname and a unique number

eg. Member: Joe Bloggs, Has Member ID: BLO987654

 

this will allow the query to excecute fine, but.. If I have a member Joe O'Rielly their Id number becomes O'R876543 and when thats put into the variable $member_id the query becomes

 

$sql = "select * from members where member_id = 'O'R876543' ";

 

The qeuery is then treating the apostrophe in the ID number as the end of the string and doesn't know what the rest of it is, so it just gives a could not execute query error.

 

How can I get it to recognise the apostrophe in the ID number as just part of the string??

 

Many Thanks

 

[Tyche]

You can escape the quote using a preceding \

 

so the following code should work

$sql = "select * from members where member_id = '".str_replace("'","\'",$member_id)."'";

 

\ is used as the escape character in MySQL but I believe it should work in most other SQL variants

 

 

 

[per1os]

$inputstring = mysql_real_escape_string($inputstring);  should do this for you automatically.

[New Coder]

I have tried both and neither work for mssql.

 

 

[per1os]

oh dip, my bad dude. I did not realize it was for mssql.

 

try:

 

$input_string = addslashes($input_string); // usually you try to avoid this but in this case I think it is merited.

 

 

[New Coder]

Cheers people,

 

before I read the new post I have manged to get

 

$sql = "select * from members where member_id = '".str_replace(" ' "," ' ' ",$member_id)."' ";

 

working.

 

Instead of \' it works with ' '.

 

Thanks.