A query from php to ms sql?

php sends a request to the database ms sql, the following:

$name = 'text Text text text "a name in quotes"';
$sql = "SELETC * FROM Table WHERE Pole = '".$name."'";

as a result of this request do not get anything(

but if $name is in the form 'Text text text' or 'text Text text "Text in quotes"' the request fulfills normally.

Also, if you run the query directly in the database SELETC * FROM Table WHERE Pole = 'Text text text text "a name in quotes"'. He also will work correctly.

Obviously the problem with double quotes " ", but how to solve it?
June 8th 19 at 17:22
4 answers
June 8th 19 at 17:24
And the quotes worked, use PDO. But if I'm really too lazy to deal with PDO, so that's something


$name = addslashes('Text text text text "a name in quotes"');
$sql = "SELECT * FROM Table WHERE Pole = '".$name."'";
June 8th 19 at 17:26
You will need to escape quotes:
SELECT * FROM Table WHERE Pole = 'text with \'quotes\"

Cm. php.net/manual/ru/pdo.quote.php

And it is better to use a lookup parametrov: php.net/manual/ru/pdo.prepare.php#refsect1-pdo.pre...
June 8th 19 at 17:28
Congratulations! You learned what SQL injection! All the data you use in queries to lead to a safe mind. And best of all use PDO.
June 8th 19 at 17:30
Thank you, I'll deal with PDO

Find more questions by tags PHPSQL Server