MySQL error when inserting data containing apostrophes (single quotes)?
When I an insert query contains a quote (e.g. Kellog's
), it fails to insert a record.
ERROR MSG:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's','Corn Flakes 170g','$ 15.90','$ 15.90','$ 14.10','--')' at line 1MySQL Update Error:
The first 's'
, should be Kellogg's
.
Is there any solution?
Solution 1:
Escape the quote with a backslash. Like 'Kellogg\'s'
.
Here is your function, using mysql_real_escape_string
:
function insert($database, $table, $data_array) {
// Connect to MySQL server and select database
$mysql_connect = connect_to_database();
mysql_select_db ($database, $mysql_connect);
// Create column and data values for SQL command
foreach ($data_array as $key => $value) {
$tmp_col[] = $key;
$tmp_dat[] = "'".mysql_real_escape_string($value)."'"; // <-- escape against SQL injections
}
$columns = join(',', $tmp_col);
$data = join(',', $tmp_dat);
// Create and execute SQL command
$sql = 'INSERT INTO '.$table.'('.$columns.')VALUES('. $data.')';
$result = mysql_query($sql, $mysql_connect);
// Report SQL error, if one occured, otherwise return result
if(!$result) {
echo 'MySQL Update Error: '.mysql_error($mysql_connect);
$result = '';
} else {
return $result;
}
}
Solution 2:
Replace mysql
with mysqli
. Use this
mysqli_real_escape_string($connection,$_POST['Description'])
Solution 3:
You should pass the variable or data inside mysql_real_escape_string(trim($val))
, where $val
is the data on which you are getting an error.
If you enter the text, i.e., "I love Kellog's", we have a '
in the string so it will break the query. To avoid it you need to store data in a variable like this $val = "I love Kellog's"
.
Now, this should work:
$goodval = mysql_real_escape_string(trim($val));
Solution 4:
You can also use the addslashes() function which automatically puts \
before '
to avoid error