Dear all,
My database cannot accept uploading file when filename contain single quote " ' ". Then it show the error.
For example my filename testuploads'.xls
Got the error message
Error, query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '.xls', '16.5', 'application/vnd.ms-excel', 'upload/testuploads'.xls', '7004', '3' at line 1
How can I allow user to upload this file???
Jump to Postyou need to escape the string before saving it to the database.
In other words,
str_replace("'","\'",$filename)
or better yet, use the function mysql_real_escape_stringIt's good practice to perform this escaping on any user …
you need to escape the string before saving it to the database.
In other words, str_replace("'","\'",$filename)
or better yet, use the function mysql_real_escape_string
It's good practice to perform this escaping on any user input string prior to saving to the database, as it helps prevent both errors and SQL Injection attacks.
You can use below function for filtering data before inserting in database.
function filter($data)
{
$data = trim(htmlentities(strip_tags($data)));
if (get_magic_quotes_gpc())
$data = stripslashes($data);
$data = mysql_real_escape_string($data);
return $data;
}
$filename = filter($filename);
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.