Error when using single quotes in mysql

Question

var comma = ","; 
var querys = "insert into movie values ("
           + "'" + movid + "'"
           +comma
           + "'" + name + "'"
           + comma
           + "'" + genere + "'"
           + comma
           + "'" + director + "'"
           + comma
           + "'" + description + "'"
           + ")";

I am having a problem with about code. I am building a website with express.js and mysql where the user can submit new movies to the site.

Most of the description submitted by users have a single in it (example: This movie wasn't shot in studio). Sentences like these gives an error. I have tried using comma as variable and also "'" like this.

Any solution for this? I can't make the users use \' because most of them don't know about it.

Surely there's a way to use SQL parameters instead of concatenating strings like this? This is a SQL injection attack waiting to happen. — David, Sep 16 '16 at 11:34

score 0 · Answer 1 · answered Sep 16 '16 at 11:37

0

You can use the Javascript String.Replace function to replace all the ' characters with a \' This way the users don't even have to think about it.

answered Sep 16 '16 at 11:37

Max Raadgever

79
8

Error when using single quotes in mysql

1 Answers1