I am trying to insert data in database(mysql) but not successful when i am trying to add data with single or double quotes.Its working fine otherwise(without Quote). I know we have to use mysql_real_escape_string in such situations.But i am using joomla framework where this function is not working.
My code is below:
function insert($table, $array) {
$db = JFactory::getDBO();
$query = "INSERT INTO ".$table;
$fis = array();
$vas = array();
foreach($array as $field=>$val) {
if(is_array($val)){
$x= implode(",",$val);
}
else
{
$x=$val;
}
$fis[] = "`$field`";//you must verify keys of array outside of function;
//unknown keys will cause mysql errors;
//there is also sql injection risc;
$vas[] = "'".$x."'";
}
$query .= " (".implode(", ", $fis).") VALUES (".implode(", ", $vas).")";
$db->setQuery($query);
$db->query();
}
insert('#__storage_companies',JRequest::get( 'post' ));
Please tell me how to get rid of this.
See JDatabaseDriver::quote. Used like $db->quote($value). Also to quote field names, use $db->quoteName($value).
Take a look at Preparing the query from the Joomla wiki.
You code should be like:
$fis[] = $db->nameQuote($field);
$vas[] = $db->quote($x);
Could you not escape the quotes yourself?
Just do:
$val = str_replace(array("'", '"'), array("\\'", '\\"'), $val);