Reputation: 4219
String seems to end query
I am storing user's liked pages from facebook in my postgres database, one of them being Sinead O'Connor's page. It seems like when it gets to the apostrophe, it terminates the query beacuse the apostrophes match and therefore results in an error:
$json_likes=json_encode($likes);
echo $json_likes;
$query = "UPDATE public.account_recover_users SET user_likes='$json_likes' WHERE user_mail='$email'";
$result = pg_query($query);
if(!$result)
exit('{ "status": false }');
else exit('{ "status": true }');
Now what I get here is :
Warning: pg_query() [<a href='function.pg-query'>function.pg-query</a>]: Query failed: ERROR: syntax error at or near "Connor" LINE 1: ...l","page_id":"243440865683470"},{"name":"Sinead O'Connor","p...
Any idea how should I handle this? My app's users might have all sorts of charachters in their liked pages.
Upvotes: 2
Views: 276
Answers (2)
Reputation: 9399
Just be glad you're not trying to store the page for Bobby Tables. Your app is vulnerable to SQL Injection - do escape apostrophes, for your own good.
TL;DR: the apostrophes in the text you're appending are being matched to the ones hard coded in your application, malformatting the SQL command. Hence the error.
Edit: moving this here from the comments. Here is a good guide on how to prevent SQL Injection in PHP
Upvotes: 5
Reputation: 1336
You have single quote in json string and it breaks the query. Use at least addslashes($json_likes) and addslashes($email)
Upvotes: 0
Related Questions
- PostgreSQL and PHP. Fetching from query adds space to char string
- New to PHP, what's wrong with my SQL query?
- php does not execute a well formed posqtgresql sentence
- Having difficulties with pg_query(); in php
- SQL Where and Like in PHP imploded string
- database string compare in postgresql not recognizing string length
- Trouble with PHP Strings and SQL
- Query truncated at 999 character
- postgresql database query problem in php
- My table in postgresql is truncating these strings