Query from php to ms sql?

J

justbefree2018-01-31 14:35:17

PHP

justbefree, 2018-01-31 14:35:17

from php I send a request to the ms sql database, of the following form:
$name = 'Text text text text "Some name in quotes"';
$sql = "SELETC * FROM Table WHERE Field = '".$name."'";
I don’t get anything as a result of such a query (
but if $name is in the form 'Text text text' or 'Text text text "Text in quotes"' then the query works fine.
Similarly, if you execute the query directly in the SELETC * FROM Table WHERE database Pole = 'Text text text text "Some name in quotation marks"'. It will also work correctly.
Obviously there is a problem with double quotes " ", but how to solve it?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

O

OKyJIucT, 2018-01-31
@OKyJIucT

Instead
of
A To make quotes work, use PDO . But if you are too lazy to deal with PDO, then like this
php.net/manual/ru/function.addslashes.php

$name = addslashes('Текст текст текст текст "Некое название в кавычках"');
$sql = "SELECT * FROM Table WHERE Pole = '".$name."'";

A

artem78, 2018-01-31
@artem78

You need to escape quotes:
See php.net/manual/en/pdo.quote.php
Better use parameter substitution: php.net/manual/en/pdo.prepare.php#refsect1-pdo.pre...

A

Anton, 2018-01-31
@karminski

Congratulations! You learned first hand what SQL injection is! All data that you use in queries must be converted to a safe form. And it's best to use PDO .