mapcuk
Reputation: 802
How to escape symbols in SQL query?
In PHP-script i need to update title, content fields. If I put "@" into content I get error "Description: Incorrect syntax near '@'." I fixed with symbols ' ". Is there any solution for escaping or framework for DB layer?
I'm forced to use f**ng MS SQL :(
Code:
$conn = new COM ("ADODB.Connection")
$db_conn = $conn->open('bla-bla-password...');
$query = sprintf( "UPDATE page SET title='%s', page_content='%s' WHERE id=%d;", addslashes($title), addslashes($content), intval($id));
$rs = $db_conn->execute($query);
Upvotes: 0
Views: 567
Answers (1)
Quentin
Reputation: 943649
Use PDO prepared statements to escape special characters … not sprintf or addslashes.
Upvotes: 4
Related Questions
- How to escape strings in SQL Server using PHP?
- Escaping special characters in Select statement SQL PHP
- MySQL escaping special characters
- Escaping characters without using MySql functions in PHP
- How do you escape quotes in a sql query using php?
- escape characters at a mysql query from php
- Escaping special characters in SQL query
- How to automatically escape strings in a PHP SQL query?
- php mysql special character escape
- Escaping Characters from MySQL from PHP Framework