mysql escaping single and double quotes

17,357

Solution 1

mysql_real_escape_string is made for just this.

PHP: mysql_real_escape_string

$insert = "INSERT INTO wp_posts ('body','title') VALUES ('".mysql_real_escape_string($row['body'])."', '".mysql_real_escape_string($row['row'])."')";

Solution 2

The other option is to use mysqli and prepared statements

$stmt = $this->db->prepare("insert into table (id,name,longstring) values (?,?,?));
$stmt->bind_param('iss',$row["id"],$row["name"],$row["body"]);
$stmt->execute();

mysqli will bind the assigned parameters to the ? in the prepared statement as an integer (i) or a string (s).

Share:
17,357
Matt Elhotiby
Author by

Matt Elhotiby

Interests: Javascript, React and Rails

Updated on June 04, 2022

Comments

  • Matt Elhotiby
    Matt Elhotiby almost 2 years

    I have a script that i am writing to move certain fields to a new db like

    $results = mysql_query ( "SELECT body, title  FROM $source_db.Post" );
    while ($row = mysql_fetch_array($results)) {
    if(mysql_num_rows($users_result) > 0){
        $insert = "INSERT INTO wp_posts (`body`,`title`) VALUES ('{$row['body']}', '{$row['row']}')";
        mysql_query($insert);
        }
    }
    

    but as you can see the query will break everytime due to the single and double quotes, is there a solution to this problem like herdok or something

    INSERT INTO wp_posts (`body`,`title`)
                VALUES
                    ('Here are the final returns from today's ...<br /><br />he stayed home...<br />
    <div class="entry-content">
    <div class="entry-body">', 'something')