Best Practice WIth Apostrophe in Php Mysql Queries [closed]

Question

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.

Closed 9 years ago.

Apostrophes can be a pain while sending sql update queries in from php when there's a non-matching "'" inside the string. What is the best practice to overcome this problem?

Thanks

Answer 1

I think the best practice is to use prepared statements, but you can use the addslashes($string) and stripslashes($string) functions too.

Answer 2

PDO:

$stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username');
$stmt->execute(array(':username' => $_GET['username']));

MySQLi:

$query = $mysqli->prepare('SELECT * FROM users WHERE username = s');
$query->bind_param('s', $_GET['username']);

These extensions have built-in functions for creating prepared queries which let you use quotes and apostrophes without any problems.