0

I'm trying to insert content into a MySQL and it looks like that:

table name is foo and the columns are:

     id INTEGER,
     name VARCHAR(50),
     content VARCHAR(255),
     url VARCHAR(255)

the problem arises when I'm trying to insert string which has quotes and double quotes inside it and escaping must be done since when inserting strings into MySQL you need to surround it in single quotes.

How do I escape the following text ?

'<div><a href='http://www.ynet.co.il/articles/0,7340,L-4391031,00.html'><img src='http://www.ynet.co.il/PicServer3/2013/06/11/4677612/AP0AMR108-Main-2013-05-25T16-54-20.070Z239775_a.jpg' alt='צילום: AP' title='צילום: AP' border='0' width='116' height='116'></a></div>בית המשפט העליון אישר בהחלטה תקדימית לחיילים ושוטרים להצביע בבחירות - לראשונה מאז שנות ה-70. האיסלאמיסטים זעמו על הפסיקה בעוד הליברלים ואנשי האופוזיציה בירכו: "יש מדינות שמעניקות לאנשי הצבא שלהן להצביע בבחירות ובהם דרום אפריקה, ברזיל, הודו, רוסיה, ארצות הברית, ואפילו ישראל"'
Alon
  • 3,734
  • 10
  • 45
  • 64
  • Have you tried as string like this: `"some content \"yes!\""` ? – Bart Friederichs Dec 29 '13 at 16:01
  • You didn't tag any programming language, but if you would use prepared statements, there is no need for escaping. – Bart Friederichs Dec 29 '13 at 16:01
  • possible duplicate of [Prevent SQL injection in WebSQL database? (How to handle quotes in data?)](http://stackoverflow.com/questions/10148599/prevent-sql-injection-in-websql-database-how-to-handle-quotes-in-data) – Barmar Dec 29 '13 at 17:19

4 Answers4

0

You escape any string only for what's around it. So if you want to put double quotes around this one, you have to protect only the double quote inside.

dkellner
  • 8,726
  • 2
  • 49
  • 47
  • I'm getting the content from somewhere I can't control if inside it will have quotes or double quotes, it can have both – Alon Dec 29 '13 at 16:02
0

You can escape a quote using \ also known as the escape character. Have a look at this page that showcases the available escape sequences.

Ivaylo Strandjev
  • 69,226
  • 18
  • 123
  • 176
0

You can escape quotes with backslash:

insert into foo (id,name,content,url) values (0, 'test123', '<div id=\'test\'>ת"\א היא עיר מצוינת</div>', 'http://www.cnn.com')

You can also use the opposite kind of quotes:

insert into foo (id,name,content,url) values (0, 'test123', "someContent's", 'http://www.cnn.com')

Here's how to do it with WebSQL parameterized queries:

transaction.executeSQL('INSERT INTO foo (id, name, content, url) VALUES (?, ?, ?, ?)',
    [0, 'test123', '<div id=\'test\'>ת"\א היא עיר מצוינת</div>', 'http://www.cnn.com'],
    callbackfn);
Barmar
  • 741,623
  • 53
  • 500
  • 612
0

try this :

insert into foo (id,name,content,url) values (0,'test123','someContent\'s','http:\/\/www.cnn.com')
Waqar Ahmed
  • 5,005
  • 2
  • 23
  • 45