0





15

Advertisement

mysql_query("INSERT INTO objects(objId, objectId, objectCategory, SortOrder, Name) VALUES('{$obj_id}', '{$object_id}', '{$object_category}', '{$sortorder}', 'My " . $objecta['Name'] . "')")or die(mysql_error()); 

This code fails when $objecta['Name'] has a single quote in it. I can't seem to be able to quote everything so that it works even if $objecta['Name'] has a single quote in it.

Question author Displayname | Source

Advertisement


0


Two things:

1) You should escape your input. mysql_real_escape_string($objecta['Name']) This ensures that things like the ' character are escaped, i.e. \' which allows the insert to happen.

2) mysql_* extension is deprecated and you should really at least use mysqli_* or pdo or another database driver. Using prepared statements in one of these other database drivers accomplishes the same as what I said above.

Answer author Skrilled