I'm using this code to check if a record exists or not:

$filename = $_FILES["file"]["name"]; /// FROM FORM
$ext = substr($filename, strpos($filename,'.'), strlen($filename)-1);
$bull = substr($filename, 0, strpos($filename, '.'));
 
$myQuery = "SELECT * 
            FROM $media
	    WHERE label='$bull' "; 
$result	 = $dbh->prepare($myQuery);
$result->execute();
$cont = $result->rowCount();

	if ($cont == 1) {
		echo $bull.' Exists'; 
	}
	else {
		echo $bull.' Does Not Exists'; 
	}

Which works fine except if there's an apostrophes in the record. Then it returns that it doesn't exist. So if "Hello There" exists, it says so. But if "Where's Hello" exists, it says it doesn't.

Member Avatar
diafol

look at mysql_real_escape_string()

look at mysql_real_escape_string()

Magic quotes are turned off and I'm not using mysql_real_escape_string() on this query.

Member Avatar
diafol

> I'm not using mysql_real_escape_string() on this query.

You should. It'll work.

> I'm not using mysql_real_escape_string() on this query.

You should. It'll work.

You're right, it will work. But I wanted to make the code more portable, so I opted for addslashes(), adding it to the extension stripper and putting it in the SELECT statement (I tried it earlier, but had it in the wrong place).

$filename = $_FILES["file"]["name"];
$ext = substr($filename, strpos($filename,'.'), strlen($filename)-1);
$bull = substr($filename, 0, strpos($filename, '.')); // strip extension

$slashed_bull = addslashes($bull);
 
$myQuery = "SELECT * 
            FROM $media
	    WHERE label='$slashed_bull' "; 
$result	 = $dbh->prepare($myQuery);
$result->execute();
$cont = $result->rowCount();

	if ($cont == 1) {
		echo $bull .' Exists<br />'.$cont;
	}
	else {
		echo $bull .' Does Not Exists<br />'.$cont;
	}

Thanks for the reply.