Question about single tick (apostrophe) using PDO::FETCH_ASSOC

[timgerr]

Hello all,
I have a question about PDO and any word that has an apostrophe in it. I have a
function below, if I create (for some reason) a query that is bad, somthing with
the word don't in it, I get an error. If I add a slash to the word don\'t I
still get an error. Has anyone else gotten this error. Here is my function and
an example (I know the query is ugly, I am trying to do stuff to prevent SQL
enjections):

$myQuery = "SELECT * FROM users WHERE name = don\'t;


public function PDOArrayObject($query)
{
$stmt = conn::getInstance()->prepare($query);
$stmt->execute();
$out = $stmt->fetchALL(PDO::FETCH_ASSOC);
if(count($out) == 0){
return $this->error;
} else {
return $out;
}
}

I get this error:
PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have
an error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near '\'t' at line 1 in
/Applications/XAMPP/xamppfiles/htdocs/includes/ClassPDODataBase.php on line 38

From the debug:
$stmt = object(PDOStatement)[4]
public 'queryString' => string 'SELECT * FROM users WHERE name = don\'t'
(length=46)


Thanks for the help,
timgerr

-How important does a person have to be before they are considered assassinated instead of just murdered?
Congratulations!

 

[jpadie]

you do not escape with slashes in PDO.

this is typically the way you would do it

$myQuery = "SELECT * FROM users WHERE name =?";
$s = $pdo->prepare($myQuery);
$s->execute(array("don't"));