Possible Duplicate:
How do I handle single quotes inside a SQL query in PHP?
I had written the following code to fetch a data from a mysql table:
$clg=$row['text'];
$query1 = "SELECT * FROM user WHERE text='$clg'";
$result1 = mysql_query($query1,$con) or die(mysql_error());
$count=mysql_num_rows($result1);
echo $count;
But the text field has a single quote(') which closes the single quotes in $query1, hence resulting in mysql syntax error. How can I rectify this?
$clg=$row['text'];
$query1 = "SELECT * FROM user WHERE text='" . mysql_real_escape_string($clg) . "'";
$result1 = mysql_query($query1,$con) or die(mysql_error());
$count=mysql_num_rows($result1);
echo $count;
But you should know that mysql_* functions family will be deprecated soon. Please read the red box here located on php.net website.
<?php
function escape($string) {
if(get_magic_quotes_gpc()) $string = stripslashes($string);
return mysql_real_escape_string($string);
}
write this function and call it
escape($clg);
for prevent every mysql syntax error and sql injection.`