Mysql PHP insert with quotes and double quotes

Question

I am trying to insert data into a table that contains both quotes and double quotes. How can i escape them?

The value i want to add is:

 default=1,name='Bob',lastName="Jones"


 $ins = "INSERT into table (field1,field2,fiel3,) values ('data1','data2',????)";

If i use single quote, the Bob part gets broken. If I use double quote, the Jones part gets broken.

If i use mysql_escape_string what would this look like?

$data3 = mysql_escape_string(????);

Again if i use single quote, the Bob part gets broken. If I use double quote, the Jones part gets broken.

I know its a terrible db design but I have no control over the fields i need to add or the syntax of the values. I have to insert the value exactly as seen above.

Answer 1

Use prepared statements

Look at this.

First connect with improved mysqli

$mysqli = new mysqli($servername, $username, $password);

$stmt = $mysqli->prepare("INSERT into table (field1,field2,fiel3,) values (?,?,?)");
$stmt->bind_param("sss",$data1,$data2,$data3);
$stmt->execute();

Where $mysqli is your connector.

In this way you have also prevented from SQL Injection.

Answer 2

From what I have read mysql_* functions are deprecated as of PHP 7, and from what I understand you can't escape quotes. At least not properly. I'd recommend you go to PDO, as it's compatible with different database types, and it's in my opinion easier to use than the mysqli_* functions. Although I'll let you know that mysqli is capable of escaping quotes.

Since there is already an answer with a mysqli example, here is a short example of using PDO to escape quotes:

$dns = "mysql:dbname=test;host=localhost";
$user = "root";
$password = "";

$connection = new PDO($dns, $user, $password);

$sql = "INSERT INTO users (username, password) VALUES (:username, :password)";
$statement = $connection->prepare($sql);
$statement->execute([
    ':username' => $username,
    ':password' => $password
]);

Now remember this only escapes quotes, it does not filter your inputs. So before you insert any foreign data(form data), use the filter_var() function based on what you want to filter, eg: $string = filter_var($string, FILTER_SANITIZE_STRING) . Or you could do:

 $statement->bindParam(':username', $username, PDO_PARAM_STRING);

Answer 3

Just a little function which mimics the original mysql_real_escape_string but which doesn't need an active mysql connection. Could be implemented as a static function in a database class. Hope it helps someone.

<?php 

function mysql_escape_mimic($inp) { 

    if(is_array($inp)) 
        return array_map(__METHOD__, $inp); 

    if(!empty($inp) && is_string($inp)) { 
        return str_replace(array('\\', "\0", "\n", "\r", "'", '"', "\x1a"), array('\\\\', '\\0', '\\n', '\\r', "\\'", '\\"', '\\Z'), $inp); 
    } 

    return $inp; 
} 
?>

Source: php manual