I am learning to put data in my database using php mysqli prepared statements. I have the data going into the data base by using this code.
$FirstName=ucwords($_POST['fname']);
$LastName=ucwords($_POST['lname'], "-'");
$Customer=$LastName." ".$FirstName;
$conn = new mysqli($host,$user,$password,$db);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$stmt = $conn->prepare("INSERT INTO customers (FirstName, LastName, Customer) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $FirstName, $LastName, $Customer);
$stmt->execute();
$conn->close();
This is working very well. Especially with hyphenated names or names with an apostrophy such as Pete O'Brian.
Now then while trying to retrieve the information back out of the database I am using the following code.
$conn = new mysqli($host,$user,$password,$db);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$stmt = $conn -> prepare("SELECT Customer, Instrument1 FROM tblinvoice WHERE InvID = ?");
$stmt->bind_param("i", $tempid);
$stmt->execute();
$stmt -> bind_result($cust, $inst);
$stmt -> fetch();
$cust = mysqli_real_escape_string($conn, $cust);
$stmt -> close();
$conn -> close();
BUT the above output O\ for a last name of O'Brian. If I remove the mysqli_real_escape_string($conn, $cust) and just use the bound value of $cust I simply get O instead of O'Brian.
Can anyone tell me what I am not doing or what I am doing wrong here?
mysql_real_escape_stringon INSERT not on SELECTm if you so, you don't need to escape anything on the output