从mysql查询中的单引号数据转义

Question

I have a silly problem. I am trying to upload bulk data from csv file to my database table. It is working fine. But I noticed many of rows in csv file contains data in single quotes words like (That's, It's etc). Wherever in database single quotes query throws syntax errors. I seen many posts that suggest to keep you single quotes data like this (That''s) but I have more than 1000 of rows so I can't cheque each row. Is there any programmatic way to avoid this problem?

<?php

include "connection.php"; //Connect to Database

$deleterecords = "TRUNCATE TABLE tablename"; //empty the table of its current records
mysql_query($deleterecords);

//Upload File
if (isset($_POST['submit'])) {
    if (is_uploaded_file($_FILES['filename']['tmp_name'])) {
        echo "<h1>" . "File ". $_FILES['filename']['name'] ." uploaded successfully." . "</h1>";
        echo "<h2>Displaying contents:</h2>";
        readfile($_FILES['filename']['tmp_name']);
    }

    //Import uploaded file to Database
    $handle = fopen($_FILES['filename']['tmp_name'], "r");

    while (($data = fgetcsv($handle, 1000, ",")) !== FALSE) {
        $import="";
        mysql_query($import) or die(mysql_error());
    }

    fclose($handle);

    print "Import done";

    print ""

    //view upload form
}else {

    print "<h1>Upload new CSV</h1><br />\n";

    print "<form enctype='multipart/form-data' action='upload.php' method='post'>";

    print "File name to import:<br />\n";

    print "<input size='50' type='file' name='filename'><br />\n";

    print "<input type='submit' name='submit' value='Upload'></form>";

}

?>

Answer 1

First of all you need to stop using mysql_* Functions because it's omitted on php 7.0 instead use mysqli_* or PDO

you can add back slashes to escape single and double quotes using addslashes() or since you are inserting into database you need to use mysql_real_escape_string()

mysql_real_escape_string($import);