How To Escape Quotes In A Mysql Query?

October 11, 2024 Post a Comment

Example: The follwing query give me Quotes error in the field -> GET['email'] mysql_query(' select * from user_info where user_mail = '$_GET['email']' ')

Solution 1:

You might want to escape the string first:

$_GET['email'] = mysql_real_escape_string($_GET['email']);

And then:

mysql_query(" select * from user_info where user_mail = '" . $_GET['email'] . "' ");

The dots put the strings together.

Solution 2:

Use accolades like this.

mysql_query(" select * from user_info where user_mail = '{$_GET['email']}' ")

Also, make sure to escape your user input. Your current setup looks like it is vulnerable to SQL injection. Use http://php.net/manual/en/function.mysql-real-escape-string.php to clean up your user input (like $_GET values)

Solution 3:

It's not really an answer to your question, but I'd strongly advise you to use PDO or mysqli prepared statements. Thus, your original problem -- the escaping parameter strings -- will be automatically taken care of.

If you do not want to follow this advice, do this:

$email = mysql_real_escape_string($_GET['email']);
mysql_query("select * from user_info where user_mail = '$email';");

Solution 4:

You don't need quotation marks for associative array field names if you are already inside a doubly-quoted string:

$str = "Hello $_GET[email].";

Solution 5:

Use it this way:

$SQL = "SELECT * FROM user_info WHERE user_mail = '".$_GET['email']."'";
mysql_query($SQL);

But I strongly advice to take some security actions with $_GET['email'], like this:

$email = mysql_real_escape_string($_GET['email']);
$SQL = "SELECT * FROM user_info WHERE user_mail = '".$email."'";
mysql_query($SQL);

Free Interactive Html5 Tutorial