problem with ` char

scialom

Hello all,

I have this var:
$name = "avid`s";

then I have this sql:
$chk_sql = "select * from db_jobs where pro_name=$name";

when I execute this sql statement I get an error. How can I avoid that?

Thanks!

HalfaBee

You need to use this

$chk_sql = mysql_real_escape_string( "select * from db_jobs where pro_name=`$name`" );

NogDog

$chk_sql = "select * from db_jobs where pro_name='" . mysql_real_escape_string($name) . "'";

PS: Be careful: there's a major difference between the [FONT="Courier New"]'[/FONT] and [FONT="Courier New"]`[/FONT] characters in MySQL, the former being for quoting string literals and the latter for delimiting table/column identifiers.

cam815

The safest way to wrap your SQL queries would be to `` the tables and columns and '' your text values.

scialom;10886751 wrote:
$chk_sql = "SELECT * FROM db_jobs WHERE pro_name='$name'";

laserlight

cam815 wrote:
The safest way to wrap your SQL queries would be to `` the tables and columns and '' your text values.

Caveat: MySQL is weird in that by default it uses backticks (`) to escape identifiers. In standard SQL, double quotes (") are used for the same purpose. Oh, and some database vendors use brackets ([]) by default instead. Gah.

That said, I find that excessively paranoid since it is quite obvious that db_jobs and pro_name are identifiers, not keywords. On the other hand, it means that the readers of your SQL statements do not need to check in the event that they are unsure.