I want to fetch a spare part from MySql (yii framework). Some part titles contain '
, for ex.: OUTLANDER '03-06
For securty reason i encode query string parameter thru htmlspecialchars()
(converts special characters to HTML entities) to become query like this:
SELECT *
FROM assortment
WHERE title LIKE "%OUTLANDER '03-06 %"
LIMIT 0 , 10
yet this yields an empty result .
While if i only escape '
by addign slash, such a query works:
SELECT *
FROM assortment
WHERE title LIKE "%OUTLANDER \'03-06 %"
LIMIT 0 , 10
What's the problem? Do i still need to apply htmlspecialchars()
to input parameters to make them safe HTML entities cause of security reasons, what would be a solution?
I think you have to use " mysql_real_escape_string() " instead.
Ref: http://www.w3schools.com/php/func_mysql_real_escape_string.asp
The function htmlspecialchars()
does not meant to escape string in queries. You should use one of these functions:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.