Escaping special characters in Select statement SQL PHP

Question

How to escape column' special characters in SQL select statement.

I have that sql select statement and the column account_name has values that contains special characters, it gives me error as it doesn't escape those special characters.

select * from account where account_name ='$account_name'

Use prepared statements either in `PDO` or `mysqli`. – moonwave99 Feb 21 '13 at 13:19 — moonwave99, Feb 21 '13 at 13:19

score 2 · Accepted Answer · answered Feb 21 '13 at 13:28

Don't use any of the MySQL extension commands, they are obsolete and not recommended anymore.

use PDO and prepared atatements.

http://php.net/pdo

$name = '$somethingHere';
$stmt = $db->prepare("Select * from account where account_name = :name");
$stmt->bindValue(':name', $name, PDO::PARAM_STR);
$stmt->execute();
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);

Bud Damyanov · Answer 2 · 2013-02-21T13:33:03.440

1

Use mysql_real_escape_string($account_name) function.

edited Feb 21 '13 at 13:33

answered Feb 21 '13 at 13:17

Bud Damyanov

27,507
6
41
51

Escaping special characters in Select statement SQL PHP

2 Answers2