How to pass a stored parameter with escaped characters?

Asked

Viewed 445 times

1

I am using php and mysql and would like to pass the following parameter to a stored Procedure

$param = "col = '{"video":"<iframe width=\'480\' height=\'600\' src=\'www.qualquercoisa.com\´"}'";

call spActCol($param);

but it turns out that stored Procedure nullifies all escaped characters which creates an error when trying to update the database, that is, internally in the previous sentence:

UPDATE exemple SET col = '{"video":"<iframe width='480' height='600' src='www.qualquercoisa.com'"}' where id=1;

Someone has an idea how to solve this problem?

php mysql

  • Ever tried to put src=''www.qualquercoisa.com'' like this? With two single quotes.

  • already solved the problem ?

  • param = "col = '{"video":"<iframe width='480' height='600' src='www.qualquercoisa.com "}'"; call spActCol(mysql_real_escape_string($param)); The function mysql_real_escape_string will escape all ' and " so that it remains a string. Another way would be to make parameterized queries.

1 answer

1

in mysql use:

UPDATE exemple SET col = '{"video":"<iframe width=\'480\' height=\'600\' src=\'www.qualquercoisa.com\'"}' where id=1;

or in php use addslashes()

http://www.w3schools.com/php/func_string_addslashes.asp

if you are using the string for the Procedure to run as sql statement then you have to do a prepare/execute example:

SET @query = CONCAT("UPDATE exemple SET col = ",@parametro," where id=1");      
PREPARE stmt FROM @query;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;

  • opa comenta explica ai como a sua Procedure está executando o sql passado como string?

Browser other questions tagged php mysql

You are not signed in. Login or sign up in order to post.