mysql - How do I handle single quotes inside a SQL query in PHP?

Question

I am using a particular query for inserting records. It is going well. I am even fetching records with a select query. But my problem is that, if the record contains single quotes ' ', then it gives me this error:

> NOTE:You have an error in your SQL syntax; 
>     check the manual that corresponds to your MySQL server 
>     version for the right syntax to use near 'B''' at line 1

The SELECT query is:

$result= mysql_query("SELECT s.name, 
                             s.sid as sid, 
                             s.category, 
                             p.name as pname 
                         FROM poet p 
                         INNER JOIN song s 
                            ON p.pid = s.pid 
                         WHERE s.name= '$sid'") or die(mysql_error());

What should I do to skip quotes problem in this. When I want quotes to insert in my records.

Answer 1

Your problem is much worse than this -- what if someone enters the value '; DROP TABLE poet; --? You need to use either mysql_real_escape_string() to escape the value, or use parametrized queries (with PDO, for example).

_{It's 2011, for crying out loud. Why is SQL injection still a widespread problem?}