James Buckland
Reputation: 59
Query for sanitized single quotes in MySQL database.
When inserting names into a customer database I used the MySQLi function real_escape_string to sanitize the data. An example entry with a single quote now looks like this:
Baker\'s Pharmacy
However when I try to query for the name using a query such as:
$search = "Baker's Pharmacy";
$searchName = $db->real_escape_string($search);
$query = "SELECT Name FROM Customers WHERE Name = '$searchName'";
I return no matches, what is the correct way to search for santised single quotes?
Any help is greatly appreciated!
Upvotes: 1
Views: 452
Answers (1)
Your Common Sense
Reputation: 157918
There are two wrong assumptions that needs to be cleared up.
- Whatever
*escape_stringfunction does not sanitize anything. that's just a nasty rumor that PHP folks are better to finally get rid of. - anyway, by using this function, you are formatting your data not for a database but for the SQL query only. All slashes are stripped off by a database and the data gets stored as is.
Instead of "sanitizing" you have to use mysqli prepared statements for both insert and select queries, and you will see not a single problem related to quotes (unless there are magic_quotes or their home-brewed equivalent are hanging around).
Upvotes: 3
Related Questions
- PHP MySQLi escape quotes
- Removing single quotes when retrieving data with php mysqli SELECT
- mysqli_real_escape_string and double quotes issue
- PHP query with string contain quotes
- escape from single quotes data in mysql query
- how to escape double quote characters in mysqli_query() in PHP?
- Properly escaping mysqli query in PHP
- How can I query a column which has apostrophes in it with MySQLi
- Why does mysqli still escape quotes?
- SQL Injection, Quotes and PHP