0

I'm trying to do a MySQL query in PHP with some special characters. It seems to work if I run the query on my database with straight SQL:

SELECT SUM(quantity_ordered)  FROM `shopping_cart` 
   WHERE `cart_number` = 10316027
   AND `size` IN ('5&#188" x 8&#188"','5⅜" x 7¾"','4½" x 9½"')

The above query returns the expected result and SUM but when I put it in my prepared PHP query it returns no records or SUM.

I suspect that it has to do with the single quotes around each size but if I remove them I get a MySQL error. A similar query in my PHP with straight numbers and no surrounding quotes works fine.

I've tried different ways of escaping the special characters but I'm wondering if this query will work at all with these types of characters?

Improve this question
5
  • What does your prepared statement in php look like and what are the exact values of the variables? Commented Apr 4, 2014 at 16:23
  • @jeroen that's the point. I think he doesn't use prepared statement. but just mysql_query Commented Apr 4, 2014 at 16:26
  • Here is the prepared statement prepare("SELECT SUM(quantity_ordered),item_number FROM shopping_cart WHERE cart_number = :cart_number AND size IN ($items)"); with $items carrying the same variables as my sql statement Commented Apr 4, 2014 at 16:27
  • Use before query mysql_real_escape_string for `cart_number AND item_number. Commented Apr 4, 2014 at 16:30
  • Show us the actual PHP code that you're trying to execute. Please edit the original question and post the actual code, not a summary or paraphrase. Commented Apr 4, 2014 at 16:45

2 Answers 2

Reset to default
1

You problem is you are probably not escaping the double quotes in your PHP string.

try this

$qry = "SELECT SUM(quantity_ordered)  FROM `shopping_cart` 
WHERE `cart_number` = 10316027
AND `size` IN ('5&#188\" x 8&#188\"','5⅜\" x 7¾\"','4½\" x 9½\"')"
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

That did it! I didn't think I needed to because they were inside the double quotes, Thanks!
That is the problem. They were inside the double quotes, and the next double quote it saw, php thought that ended the string.
1

Based on your comment about the prepared statement:

SELECT SUM(quantity_ordered) FROM wholesale_shopping_cart WHERE cart_number = :cart_number AND item_number IN ($items)

You should build your $items array with individual bound variables so that it would look like:

SELECT SUM(quantity_ordered) FROM wholesale_shopping_cart
WHERE
       cart_number = :cart_number
   AND item_number IN (:val1, :val2, :val3)

Then you can bind your variables and execute the query.

If you put your variable directly in your sql statement, you will (probably...) have an sql injection problem and you would need to escape your quotes correctly.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.