Dear all,
My database cannot accept uploading file when filename contain single quote " ' ". Then it show the error.
For example my filename testuploads'.xls
Got the error message

Error, query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '.xls', '16.5', 'application/vnd.ms-excel', 'upload/testuploads'.xls', '7004', '3' at line 1

How can I allow user to upload this file???

Recommended Answers

you need to escape the string before saving it to the database.

In other words, str_replace("'","\'",$filename)
or better yet, use the function mysql_real_escape_string

It's good practice to perform this escaping on any user …

Jump to Post

All 2 Replies

you need to escape the string before saving it to the database.

In other words, str_replace("'","\'",$filename)
or better yet, use the function mysql_real_escape_string

It's good practice to perform this escaping on any user input string prior to saving to the database, as it helps prevent both errors and SQL Injection attacks.

You can use below function for filtering data before inserting in database.

function filter($data) 
{
    $data = trim(htmlentities(strip_tags($data)));

    if (get_magic_quotes_gpc())
        $data = stripslashes($data);

    $data = mysql_real_escape_string($data);

    return $data;
}
$filename  = filter($filename);
Be a part of the DaniWeb community

We're a friendly, industry-focused community of 1.21 million developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.