This question already has an answer here:
- How can I prevent SQL injection in PHP? 28 answers
I'm trying to write a query using a variable passed through a URL, the problem is that a lot of the item names contain characters like ' or +, they weren't being passed properly through the URL, and those special character were being ignored(although I checked and couldn't see that they were reserved) Anyways, to get around this I used PHP function rawurlencode(), and rawurldecode() to pass the value as an encoded string, and on the receiving end I use the function to the decoded string. This works, and gives me the value I need to search for in the database, however when writing me query like so:
$name = rawurldecode($_GET["name"]);
$sql = "SELECT name, address, phone_number, hours_weekday, hours_weekend, description, email, food, pool, tv, dancing, late
FROM pubs WHERE name LIKE '" . $name . "'";
If the name was something like Darby's, the ' after the why acts as the end of the string in the statement, so what I am looking to do, is IF the string contains character ' then replace it with \' to escape it. Does anyone know how to do this or if it's possible?
Thank you!
</div>
