I have a table in which I want to match fname
and lname
My query is
$result = $mysqli->query('SELECT * FROM user_friend_detail WHERE userId = "'.$_SESSION["userId"].'" AND FriendFirstName = "'.mysql_real_escape_string($firstName).'" AND FriendLastName = "'.mysql_real_escape_string($lastName).'" AND FriendStatusCode="verified" AND friendId!='.$fid.' ') or die($mysqli->error);
The problem is If I write name Joh'nny,
the names with '
are not matched, how can I solve this ?
Since you're already using mysqli you might as well use prepared statements, so that you don't have to worry about doing proper escaping:
$stmt = $mysqli->prepare('SELECT *
FROM user_friend_detail
WHERE userId = ? AND FriendFirstName = ? AND FriendLastName = ?
AND FriendStatusCode="verified" AND friendId <> ?');
$stmt->bind_param('issi', $_SESSION['userId'], $firstName, $lastName, $fid);
$stmt->execute();
See also: mysqli::prepare()
Update
In addition, you may have magic quotes enabled, you should switch it off .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.