chinmay.sahoo
New member
Consider the following SQL statement:
INSERT INTO articles SET title='The PHP Anthology';
Perhaps the PHP script that made this query contained something like this:
No problem so far, but look what happens if we change the title:
Notice the apostrophe in the title? When we place this in the SQL statement,
the query MySQL receives will be as follows:
INSERT INTO articles SET title='PHP's Greatest Hits';
See the problem? When MySQL reads that statement, it will only get as far as
this:
The rest of the statement will cause a syntax error and the query will fail. It’s easy enough to avoid this problem when you write the title yourself, but what happens when your script gets the value from user input?
INSERT INTO articles SET title='The PHP Anthology';
Perhaps the PHP script that made this query contained something like this:
<?php
$title = "The PHP Anthology";
$sql = "INSERT INTO articles SET title='$title';";
$result = mysql_query($sql, $dbConn);
?>
No problem so far, but look what happens if we change the title:
$title = "PHP's Greatest Hits";
Notice the apostrophe in the title? When we place this in the SQL statement,
the query MySQL receives will be as follows:
INSERT INTO articles SET title='PHP's Greatest Hits';
See the problem? When MySQL reads that statement, it will only get as far as
this:
INSERT INTO articles SET title='PHP'
The rest of the statement will cause a syntax error and the query will fail. It’s easy enough to avoid this problem when you write the title yourself, but what happens when your script gets the value from user input?