Home/ Questions/Q 533049
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T09:28:07+00:00

In my MySQL table, I have a column of TEXT type. On my HTML

  • 0

In my MySQL table, I have a column of TEXT type. On my HTML Form, user pastes text into it that might contain “” , ‘ ( ) and so on. I want to know how to safely execute Insert Query if these characters exist in the text and might crash the query execution.

How to handle them properly in PHP?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Use a prepared statement.

    Prepared statements can help increase
    security by separating SQL logic from
    the data being supplied. This
    separation of logic and data can help
    prevent a very common type of
    vulnerability called an SQL injection
    attack. Normally when you are dealing
    with an ad hoc query, you need to be
    very careful when handling the data
    that you received from the user. This
    entails using functions that escape
    all of the necessary trouble
    characters, such as the single quote,
    double quote, and backslash
    characters. This is unnecessary when
    dealing with prepared statements. The
    separation of the data allows MySQL to
    automatically take into account these
    characters and they do not need to be
    escaped using any special function.

    A quick example,

    $db = new mysqli('localhost', 'username', 'password', 'db');
$stmt = $db->prepare("INSERT INTO mytable (text_column) VALUES (?)");
$stmt->bind_param("s", $mytext); // s = string, b = boolean, i = int, etc
$stmt->execute();
...
    • 0