Insert percent sign

ChetUbetcha

I can't remove my head from somewhere today...

I have some records being inserted, but when the program runs across 100%, the % throws everything off. I tried mysql_real_escape_string and addcslashes (but that added two slashes) and addslashes (which didn't work). How the heck can I get the % sign to stop throwing off the insert statement?

NogDog

Got code? (My guess is that you are not quoting the value in the SQL, but it would help to see the code.)

ChetUbetcha

Too much stuff around all the other code, but in a nutshell, I am creating an array with each item from an uploaded csv. Each item has $response_array[] = mysql_real_escape_string($cell); applied to it. I thought that would take care of everything. It all works fine until the INSERT statement runs across a cell with a % sign. I hope that explains enough, otherwise I'll have to dissect a ton of code.

NogDog

All I'm really concerned with is the actual query string. If the value has a percent, it must be treated as a string literal in the query, not a number, and so must be quoted.

$_POST['foo'] = '25%';
$foo = mysql_real_escape_string($_POST['foo']);
$sql = "INSERT INTO table_name (col_foo) VALUES('$foo')"; // value must be quoted
// this would fail with SQL syntax error:
$sql = "INSERT INTO table_name(col_foo) VALUES($foo)";

And if you used a prepared statement with the newer MySQLi extension, you could pretty much avoid worrying about it by using a "s" type designator for the bound parameter, and let it take care of the escaping and quoting as needed:

$stmt = $db->prepare("INSERT INTO table_name (foo_col) VALUES(?)");
$stmt->bind_param('s', $foo);
$foo = $_POST['foo'];
$stmt->execute();