A query from php to ms sql?

Question

A query from php to ms sql?

php sends a request to the database ms sql, the following:

$name = 'text Text text text "a name in quotes"';
$sql = "SELETC * FROM Table WHERE Pole = '".$name."'";

as a result of this request do not get anything(

but if $name is in the form 'Text text text' or 'text Text text "Text in quotes"' the request fulfills normally.

Also, if you run the query directly in the database SELETC * FROM Table WHERE Pole = 'Text text text text "a name in quotes"'. He also will work correctly.

Obviously the problem with double quotes " ", but how to solve it?

nikita.Stracke asked June 8th 19 at 17:22

Related questions

More answers about "A query from php to ms sql?"

4 answers

violet_Dibbe answered on · Answer 1 · 2019-06-08T17:24:00.619Z

violet_Dibbe answered on June 8th 19 at 17:24

Instead
SELETC
need
SELECT
And the quotes worked, use PDO. But if I'm really too lazy to deal with PDO, so that's something

php.net/manual/ru/function.addslashes.php

$name = addslashes('Text text text text "a name in quotes"');
$sql = "SELECT * FROM Table WHERE Pole = '".$name."'";

alexandrine75 answered on · Answer 2 · 2019-06-08T17:26:00.619Z

alexandrine75 answered on June 8th 19 at 17:26

You will need to escape quotes:

SELECT * FROM Table WHERE Pole = 'text with \'quotes\"

Cm. php.net/manual/ru/pdo.quote.php

And it is better to use a lookup parametrov: php.net/manual/ru/pdo.prepare.php#refsect1-pdo.pre...

Henriette_Ernser answered on · Answer 3 · 2019-06-08T17:28:00.619Z

Henriette_Ernser answered on June 8th 19 at 17:28

Congratulations! You learned what SQL injection! All the data you use in queries to lead to a safe mind. And best of all use PDO.

nikita.Stracke answered on · Answer 4 · 2019-06-08T17:30:00.619Z

nikita.Stracke answered on June 8th 19 at 17:30

Thank you, I'll deal with PDO