0

Dear all,
My database cannot accept uploading file when filename contain single quote " ' ". Then it show the error.
For example my filename testuploads'.xls
Got the error message

Error, query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '.xls', '16.5', 'application/vnd.ms-excel', 'upload/testuploads'.xls', '7004', '3' at line 1

How can I allow user to upload this file???

3
Contributors
2
Replies
3
Views
5 Years
Discussion Span
Last Post by vibhaJ
0

you need to escape the string before saving it to the database.

In other words, str_replace("'","\'",$filename)
or better yet, use the function mysql_real_escape_string

It's good practice to perform this escaping on any user input string prior to saving to the database, as it helps prevent both errors and SQL Injection attacks.

Edited by |-|x

0

You can use below function for filtering data before inserting in database.

function filter($data) 
{
    $data = trim(htmlentities(strip_tags($data)));

    if (get_magic_quotes_gpc())
        $data = stripslashes($data);

    $data = mysql_real_escape_string($data);

    return $data;
}
$filename  = filter($filename);
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.