This question already has answers here:
How to insert a value that contains an apostrophe (single quote)?
(13 answers)
Closed 7 years ago.
In my database, I have a column named storeName with a value called Joe's Kitchen.
When user enters Joe's Kitchen, I would store it in a variable named storeName and do a select query on it like this: "SELECT * FROM shops WHERE storename='".$storeName."'". Problem now is that the value contains apostrophe, how should I go about this ?
I have tried the method below but it is not working
$storeName = mysqli_real_escape_string($db->getConnection(),$_POST["storeName"]);
Escape the apostrophe in query by writing two apostrophes
Example
SELECT * FROM shops WHERE storename='Joe''s Kitchen' //added 2 apostrophes
this is not a recommended method since it has serious security issues, try to use pdo or parameterized queries
In your SQL query, you can replace the single quote ' by `. Then the name can contain single quotes...
You can do this way also
SELECT * FROM shops WHERE
storename="Joe\'s Kitchen"
Related
This question already has answers here:
How to escape underscore in the string query in hibernate and SQL?
(2 answers)
Closed 1 year ago.
I have one MySQL query which is using LIKE for matching a string with one of my tables columns, and it's working fine in most of the scenarios.
select * from TableName where Column like "%STRING%"
But No I have one group of records that have "_0" in it. in this case, I get a get query something like this.
select * from TableName where Column like "%_0%"
in this case, MySQL is taking _ as a wildcard and skipping the first index from the string
Now my question is, is it possible to make this search work as it is, any way to tell MySQL it's not ( _ ) wildcard, So search for the string.
I will really appreciate your help.
Thanks in advance.
Query Result Image
You can use a backslash to escape it:
where Column like '%\_0%'
Or use your own escape character:
where Column like '%$_0%' escape '$';
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 2 years ago.
I am working on a project where another developer created a table with column names like 'Business Name'. That is a space between two words. If I run a SELECT statement with 'Business Name' it says there is no column with name 'Business'.
How can I solve this problem?
Generally the first step is to not do that in the first place, but if this is already done, then you need to resort to properly quoting your column names:
SELECT `Business Name` FROM annoying_table
Usually these sorts of things are created by people who have used something like Microsoft Access and always use a GUI to do their thing.
If double quotes does not work , try including the string within square brackets.
For eg:
SELECT "Business Name","Other Name" FROM your_Table
can be changed as
SELECT [Business Name],[Other Name] FROM your_Table
You need to use backtick instead of single quotes:
Single quote - 'Business Name' - Wrong
Backtick - `Business Name` - Correct
To each his own but the right way to code this is to rename the columns inserting underscore so there are no gaps. This will ensure zero errors when coding. When printing the column names for public display you could search-and-replace to replace the underscore with a space.
I got here with an MS Access problem.
Backticks are good for MySQL, but they create weird errors, like "Invalid Query Name: Query1" in MS Access, for MS Access only, use square brackets:
It should look like this
SELECT Customer.[Customer ID], Customer.[Full Name] ...
I think double quotes works too:
SELECT "Business Name","Other Name" FROM your_Table
But I only tested on SQL Server NOT mySQL in case someone work with MS SQL Server.
This question already has answers here:
How get post value in pagination
(2 answers)
Closed 8 years ago.
I am working on pagination on search result.I referred below link and I am not able to pass value when search text starts with single quote..
How get post value in pagination.
Can you please help me..
thanks
This is because the single quote is embedded into the literal string $sql. It halts the query, and this is dangerous because a hacker can do what is called SQL Injection -> https://www.acunetix.com/websitesecurity/sql-injection/ .
Anyway, the mysql extension has been deprecated, meaning it is no longer supported and maintained. You have two easy options: mysqli or PDO. I personally recommend using PDO -> http://cz1.php.net/PDO . It will be easy to convert your code.
With PDO you can bind your input to certain fields:
$sql="Select count(*) from FIMTRN_Memorial where FirstName like :search";
$sql = $database->prepare($sql);
$sql->execute(array(":search" => "%".$_SESSION['searchchar']."%"));
$result = $sql->fetchAll(PDO::FETCH_ASSOC);
I hope I could help!
UPDATE:
With the above parameterized query, your search string cannot contain a percentage sign, as this will act as a wild-card character.
UPDATE 2:
I don't know if you noticed that $_GET{'page'} is meant to be $_GET['page'] in the previous answer.
This question already has answers here:
Using backticks around field names
(11 answers)
Closed 9 years ago.
e.g.
query is
SELECT `username`, `uid`,`email` from profile and `id`='0';
and
SELECT username, uid,email from profile and id='0';
both will yeild same result.
so why we should use or not use ` in mysql query.
You can name your columns anything if you use ` to delimit them. You could call it timestamp, restrict or any other keyword. Or you could call it 60000. Or you could call it domain of the flying spaghetti monster if you really wanted.
SELECT `domain of the flying spaghetti monster` FROM `table`
has to be the weirdest select query I've seen!
The backtick and nonbacktick versions that you show both do the same thing.
The main reason one would use backticks is to escapse a MySQL reserved word or a column with a space in the column name.
Backticks will allow you use mysql reserved words as column names. Which is not a good idea to use anyways.
Example:
SELECT from, insert,delete from profile and `id`='0'; will not work
SELECT `from`, `insert`,`delete` from profile and `id`='0'; will work
This question already has answers here:
How to select two columns as one?
(2 answers)
Closed 8 years ago.
I want to make a "search engine" with people in php. I have two columns. The first is with first_name and the secon is with last name i use this sql syntax:
SELECT *
FROM users
WHERE first_name OR last_name LIKE '$search_term%'
I wand the sql to search for first name and for last name the same time with out having one column with first_name and last_name together. Please Help !!!!
it should be
SELECT *
FROM users
WHERE first_name LIKE '$search_term%' AND
last_name LIKE '$search_term%'
But the query above performs full table scan because it doesn't use index. For better performance, search about FULL TEXT SEARCH.
As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?