I want to fetch a spare part from MySql (yii framework). Some part titles contain ', for
ex.: OUTLANDER '03-06
For securty reason i encode query string parameter thru htmlspecialchars() (converts special characters to HTML entities) to become query like this:
SELECT *
FROM assortment
WHERE title LIKE "%OUTLANDER '03-06 %"
LIMIT 0 , 10
yet this yields an empty result.
While if i only escape ' by addign slash, such a query works:
SELECT *
FROM assortment
WHERE title LIKE "%OUTLANDER \'03-06 %"
LIMIT 0 , 10
What's the problem? Do i still need to apply htmlspecialchars() to input parameters to make them safe HTML entities cause of security reasons, what would be a solution?
I think you have to use " mysql_real_escape_string() " instead.
Ref: http://www.w3schools.com/php/func_mysql_real_escape_string.asp