0

I am getting an error with a query similar to this, but I have not figured out the problem:

$str = "rob's";
...
$query ="INSERT INTO tableName (name) VALUES (mysql_real_escape_string('$str')";

Edit:

I apologize. I made a mistake while reducing my code down; this is closer to what I have that is giving an error:

$str = "rob's";
...
$query ="INSERT INTO tableName (name) VALUES (('".mysql_real_escape_string($str)."')";
Improve this question
3
  • 1
    It's best to abandon the antiquated mysql_ functions and switch to a library that offers parameterized queries, e.g. PDO. Commented Apr 17, 2012 at 20:10
  • You have an extra bracket here VALUES(('".mysql_real_escape_string($str)."') should be like VALUES ('".mysql_real_escape_string($str)."'). Isn't it? Commented Apr 17, 2012 at 20:32
  • "I am getting an error" - what does the error message say? That's quite important information, wouldn't you say? Commented Apr 17, 2012 at 20:33

4 Answers 4

Reset to default
4

mysql_real_escape_string()is PHP, not MySQL. You need to get it out of the quotes

$query ="INSERT INTO tableName (name) VALUES ('".mysql_real_escape_string($str)."')";

Also, $str is a string, so in MySQL it needs to be surrounded by qoutes too, I added them. You already had this in place, but because the function needed to get out of the quotes, they had to be moved

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1 
$query ="INSERT INTO tableName (name) VALUES ('" . mysql_real_escape_string($str) . "'";
Improve this answer

1 Comment

Your treating $str as a string
1

mysql_real_escape_string() is a PHP function. So in your MySQL query string you have to pass it like a variable:

$query ="INSERT INTO tableName (name) VALUES ('" . mysql_real_escape_string($str) . "')";

Read more here: http://php.net/manual/en/function.mysql-real-escape-string.php

Improve this answer

Comments

0

I would recommend performing the mysql_real_escape_string() function prior to the insert query. There are known issues with attempting to strip characters during the query call. The code below I have utilized numerous times before and know it works. It would also help if you gave us the error you've been getting, are you using a mysql extension such as mysql*i*, and the real code you're using. "I made a mistake while reducing my code down; this is closer to what I have that is giving an error" doesn't really help narrow down the issue you're having since you possibly removed the piece that throws the error while reducing your code. Nevertheless, using what I have below should work for you just fine.

$str = $_POST['name'];
mysql_real_escape_string($str);
$query = "INSERT INTO tableName (name) VALUES (".$str.")";
mysql_query($query);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.