php-mysql database apostrophe and comma insertion

Question

I am to insert 10 field's value in mysql from php code as it is. The problem is that whenever the user inserts apostrophe and comma(',) the query code is disturbed. some functions are there. But is it necessary to parse all field's value from these functions?? would it not be time consuming :P

here is my php code

$rs = mysql_query("
    insert into 
        _{$pid}_item 
    values (
        '$pid',
        '$item_brand',
        '$item_code',
        '$item_name',
        '$item_quantity',
        '$item_mrp',
        '$i‌tem_discount',
        '$item_vat',
        '$item_sat',
        '$item_selling_price',
        '$item_rating',
        '$item‌​_image'
    )
"); 

I am passing the values to these variables..

Answer 1

Try something like mysql_real_escape_string , or if using PDO , use PDO::quote .

And please please please read up on SQL injection attacks. It is not just a matter of getting failed queries, it is a matter of having an attacker get access to your entire database, like all other user's information.

Even better is to use prepared statements . This would look something like this:

<?php
//Use of $pid in the table name is strange here (see comments section) and is
// dangerous unless you're generating it yourself entirely from known information
// sources. Otherwise you definitely need to sanitize it, which I don't think
// prepared statements or quoting can do.
$stmt = $dbh->prepare("
    INSERT INTO 
        :_{$pid}_item
    VALUES (
        :pid,
        :item_brand,
        :item_code,
        :item_name,
        :item_quantity,
        :item_mrp,
        :i‌tem_discount,
        :item_vat,
        :item_sat,
        :item_selling_price,
        :item_rating,
        :item‌​_image)
"); 

$stmt->bindParam(":pid", $pid);
$stmt->bindParam(":item_brand", $item_brand);
$stmt->bindParam(":item_code", $item_code);
//... etc ...
$stmt->execute();

?>

Answer 2

The best complete explanation about your problem can be found here .

As you probably noticed, if someone is able to input anything and crash your system, your code is not correctly implemented.

In the article above is explained the best way to avoid this happening. Have a nice time reading the explanations and choosing the method that most fits your case. :)

Answer 3

    $query = str_replace("\'","''", $query);
    $query = stripslashes($query);

I have been using these two babies for similar situation. I haven't heard a complain yet. Give it a try. Or play with it.

Answer 4

Use addslashes() php function.

http://php.net/manual/en/function.addslashes.php

It is not as time consuming as you may think. Unnoticeable.

Answer 5

Sometimes you need to check your header.

This doesn't accept apostrophe:

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

For you to work well with apostrophe, it's good if you'll just be using this in your header:

<meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>