adnan khalid adnan khalid - 4 years ago 151
SQL Question

How to save string with single quote in database with mysqy_real_escap_string using PHP

I want to save string "thats'one" in my table columns, but I don't want to use

mysqy_real_escap_string
. So can anyone guide me regarding this how can I do that? I would like to appreciate. Many Thanks

Answer Source

Since Im seeing so many low quality comments here, here is a rough untested answer.

$query = "INSERT INTO table (Column) VALUES (?)";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("s", $val1);
$val1 = "thats'one";
$stmt->execute();

This presumes $mysqli is your connection object.

Additional links on the topic:

http://php.net/manual/en/mysqli-stmt.execute.php
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29
http://php.net/manual/en/security.database.sql-injection.php
How can I prevent SQL-injection in PHP?

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download