How do I handle single quotes inside a SQL query in PHP?

Question

I am using a particular query for inserting records. It is going well. I am even fetching records with a select query. But my problem is that, if the record contains single

Answer 1

You have to escape the data

$sid = mysql_real_escape_string($sid);

Answer 2

use http://www.php.net/manual/en/function.mysql-real-escape-string.php function on your string to quote "'" and other special symbols Other way to prevent injection - use different connections (login-passwords) with different rights for inserting and selecting. In this case mysql_real_escape_string wi9ll work good

Answer 3

Your problem is much worse than this -- what if someone enters the value '; DROP TABLE poet; --? You need to use either mysql_real_escape_string() to escape the value, or use parametrized queries (with PDO, for example).

_{It's 2011, for crying out loud. Why is SQL injection still a widespread problem?}