By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
448,814 Members | 1,678 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 448,814 IT Pros & Developers. It's quick & easy.

Safely querying a MySQL database record that has quotes in it

pezholio
P: 22
Hi,

I'm trying (and failing) to find a safe method that returns records from a database if they have quotes in them, for example, if I generate a query like this:

SELECT * FROM foo WHERE bar LIKE 'here's pezholio's record with quotes'

Obviously it will be unsafe as I haven't escaped the quotes. I've tried storing the records with slashes already in them and then searching ie:

SELECT * FROM foo WHERE bar LIKE 'here/'s pezholio/'s record with quotes'

Which should return a result. I've also tried HTML entities ie 'here's pezholio's record with quotes'

But neither method works! Any ideas?
Jun 3 '08 #1
Share this Question
Share on Google+
2 Replies


code green
Expert 100+
P: 1,726
Backslash to escape quotes
Jun 3 '08 #2

Atli
Expert 5K+
P: 5,058
You should run all strings through the mysql_real_escape_string function before adding them to a MySQL query.

It encodes all characters that may cause problems during the query, so it can be safely executed.

Alternatively, you could consider using the MySQLI Class and it's ability to use prepared statements
Jun 3 '08 #3

Post your reply

Sign in to post your reply or Sign up for a free account.