Problem inserting ' in DB using PHP

**Dormilich** · Apr 17 '09, 09:20 AM

it is never a good idea to name DB fields with reserved characters…

try enclosing the name in backticks (`, &#96;).

**asivakrupa** · Apr 17 '09, 09:24 AM

Actually the field is a comments field where the user will give his input. It can also contain the single quote( ' ) which is the apostrophe character.

So you mean to say I should use back slash.. Ok...I will try out..

**asivakrupa** · Apr 17 '09, 09:25 AM

hi,

Can you post any samples which use that back slashes for my reference?

Thanks in advance.

**Dormilich** · Apr 17 '09, 09:27 AM

looks like the content was not properly escaped when inserting the value. go safe and use prepared statements.

in SQL special characters are escaped using the backslash.

**asivakrupa** · Apr 17 '09, 09:31 AM

What do you mean by a back tick? Can you please explain me.?

Thanks in advance.

**Dormilich** · Apr 17 '09, 09:34 AM

some mis-reading of mine, you can use backticks to "escape" the field names.

Code:

SELECT `field name` FROM table

see answer above.

**asivakrupa** · Apr 17 '09, 10:17 AM

Hi,

I tried using " " for the fields. If you execute the following in SQL Query analyzer it works!!!

Code:

select "competitor_name" from Competitor

But in PHP you are going to include the above query as a string. So here the problem arises.

Code:

$query="select "competitor_name" from Competitor";

In the above code, the double quotes get mixed up resulting in errors.

Please help me out.
Thanks in advance.

**Dormilich** · Apr 17 '09, 10:20 AM

as already stated field name may only be quoted by backticks (the double quotes terminate your sql string giving you an 'unexpected string' PHP error)

**Markus** · Apr 17 '09, 10:23 AM

You need to escape single quotes, double quotes, new line characters, etc.

Check out what mysql_real_esca pe_string() does, and implement a version of your own for mssql.

**asivakrupa** · Apr 17 '09, 10:24 AM

Hi,

I am not able to understand the backtick character.. Can you please explain me the same.?

Thanks in advance.

**Dormilich** · Apr 17 '09, 10:25 AM

…or use Prepared Statements, where the SQL server does it for you.

**Markus** · Apr 17 '09, 10:28 AM

Originally posted by Dormilich

…or use Prepared Statements, where the SQL server does it for you.

Just showing some different options, dormilich. Words like 'Prepared Statements' can seem intimidating to newbies.

**Dormilich** · Apr 17 '09, 10:30 AM

Originally posted by asivakrupa

I am not able to understand the backtick character.. Can you please explain me the same.?

backticks in the MySQL manual

**Dormilich** · Apr 17 '09, 10:56 AM

I want to point out a (common) problem, you might sooner or later (hopefully never) be confronted with: SQL Injection (an attack technique to take over/exploit your database).

Once you're getting comfortable with using your database, I recommend reading more of that topic (some links from google) and how to work against it (again google). (…or just ask the experts at Bytes)

regards

Problem inserting ' in DB using PHP

Problem inserting ' in DB using PHP

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment