将PHP更新到5.4后在MySql查询中引用错误

Question

I have an application made ​​in php and my database is mysql. For years the application worked correctly, but a few days ago I updated my version of XAMPP, and it was updated my version of PHP, now I have the 5.4. The problem now is to query database. The application is for a hospital, and, for example, I have many patients with last names containing single quotes. For example: Claudio O'Connor. When I perform an update on this table, with some patient containing double quotes in its name, obviously the application fails. For example:

UPDATE patients SET lastname = 'O'Connor' WHERE idPatient = 92565

I think this problem has to do with the deprecation of the magic quotes. The problem is that the application is immense, and I can not fix this problem by looking at all the queries one by one. Is there any way to fix this problem in general? Thank you very much.

Answer 1

In PHP 5.4, the automatic magic quotes feature was removed from PHP. If you're running a version older than 5.4, you can set magic_quotes_gpc = On in the php.ini (or by using the following):

ini_set('magic_quotes_gpc', '1');

If you're using 5.4+, you'll need to manually apply mysql_real_escape_string to all data. Note that for SQL injection prevention, you should not rely on magic quotes and instead use manual code to escape the string.

Answer 2

Activating manually the magic_quotes_gpc or or sanitizing the inputs with mysql_real_string_escape are quick fixes that will work fine but you should really consider to use PDO prepared statements that don't have any SQL Injection issues.

Here is an example of what it looks like

<?php
$insert = $dbh->prepare("INSERT INTO fruit(name, colour) VALUES (?, ?)");
$insert->execute(array('apple', 'green'));
$insert->execute(array('pear', 'yellow'));

$sth = $dbh->prepare("SELECT name, colour FROM fruit");
$sth->execute();

/* Group values by the first column */
var_dump($sth->fetchAll(PDO::FETCH_COLUMN|PDO::FETCH_GROUP));
?>