This question already has an answer here:
I have a db table that contains some business names.
I need to query by name and usually have no problems unless the name contains an apostrophe.
("
SELECT*
FROM t1
WHERE bus_name = '".$busName."'
")
I've experimented and tried using static value, like this:
("
SELECT*
FROM t1
WHERE bus_name = \"Bob's store\"
")
and it worked. Tried:
("
SELECT*
FROM t1
WHERE bus_name = \"".$busName."\"
")
and it doesn't. What am I missing?
</div>
You should prepare the query, here is an example using PDO
$stmt = $pdo->prepare("
SELECT*
FROM t1
WHERE bus_name = :busName
");
$stmt->bindValue(':busName', $busName);
$stmt->execute();
var_dump($stmt->fetchAll());
Use prepared statements for this ( or any ) case.
$pdo = new PDO(...);
$stmt = $pdo->prepare('SELECT ... FROM ... WHERE foo = :foo');
$stmt->bindValue(':foo', "foo ' bar");
$stmt->execute();
Your source at its current state is vulnerable against Command Injections ( SQL Injection ).