I’m using PDO and was under the impression that prepare escaped apostrophes but I

Question

0

Asked: May 20, 20262026-05-20T03:10:32+00:00 2026-05-20T03:10:32+00:00

I’m using PDO and was under the impression that prepare escaped apostrophes but I

0

I’m using PDO and was under the impression that prepare escaped apostrophes but I can see that isn’t the case. what do I use to escape my strings for apostrophes?

$sql = 'SELECT test FROM test WHERE id = :id';
$sth = $dbh->prepare($sql);
$sth->execute(array(':id' => 1));
$red = $sth->fetchAll();

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-20T03:10:33+00:00

I suspect that whilst you might be using a prepared statement, you are not binding parameters. For example, instead of

$val = "Some string with an a'postrophe in it";
$stmt = $pdo->prepare("UPDATE table SET col = '$val'");
$stmt->execute();

You should use

$val = "Some string with an a'postrophe in it";
$stmt = $pdo->prepare('UPDATE table SET col = :val');
$stmt->bindParam('val', $val);
$stmt->execute();

or at least

$val = "Some string with an a'postrophe in it";
$stmt = $pdo->prepare('UPDATE table SET col = :val');
$stmt->execute(array('val' => $val));

This is using named parameters but you can also use positional ones using ? as a placeholder

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’m using PDO and was under the impression that prepare escaped apostrophes but I

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply