0

I am trying to insert values with a comma into a database but the comma is splitting the query so that the part of the string before the comma goes into the correct column, while the bit after the comma goes into the next and every item in the query after that is displaced into the next column.

My connection file to my db is as follows:

define('DB_HOST', 'localhost');
define('DB_NAME', '********');
define('DB_USER', '********');
define('DB_PASS', '********');
define('DB_CHAR', 'utf8');

class DB
{
    protected static $instance = null;
    protected function __construct() {}
    protected function __clone() {}

    public static function instance(){
        if (self::$instance === null){
            $opt  = array(
                PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
                PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
                PDO::ATTR_EMULATE_PREPARES => FALSE,
            );
            $dsn = 'mysql:host='.DB_HOST.';dbname='.DB_NAME.';charset='.DB_CHAR;
            self::$instance = new PDO($dsn, DB_USER, DB_PASS, $opt);
        }
        return self::$instance;
    }

    public static function __callStatic($method, $args){
        return call_user_func_array(array(self::instance(), $method), $args);
    }

    public static function run($sql, $args = []){
        if (!$args){
            return self::instance()->query($sql);
        }
        $stmt = self::instance()->prepare($sql);
        $stmt->execute($args);
        return $stmt;
    }
}

And then I do my query like this:

$item1 = 'item1';
$item2 = 'item_with_a_,_symbol';
$item3 = 'item3';

$params = [$item1,$item2,$item3];
$sql = "INSERT INTO table (col1,col2,col3) VALUES(?,?,?)";
$stmt = DB::run($sql,$params);

In this case my database would be like so:

col1            col2            col3
item1           item_with_a_    _symbol

What is the best way to get around this?

Improve this question
5
  • 4
    my database would be Have you tested this ? Commented Aug 23, 2018 at 13:44
  • item_with_a_,_symbol - I think you're not telling us the full story here. Is there a symbol going in there? and if so, what is it? I don't understand what you want to do here. Commented Aug 23, 2018 at 13:46
  • @FunkFortyNiner the symbol is a comma as in , this means it's splitting that parameter into two variables Commented Aug 23, 2018 at 14:16
  • 1
    @PaddyHallihan what you mentioned above in a comment to me, think that should have been part of the question. Where is that coming from anyway? Commented Aug 24, 2018 at 0:59
  • If you use parameterized queries you do not have to worry about such things. Commented Sep 3, 2018 at 2:08

1 Answer 1

Reset to default
1

Try escaping the input before running the insert. mysqli_real_escape_string() should do the trick

Check this entry in the PHP manual for reference

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

You don't need to escape paremeters to prepared statements.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.