On 14 May 2010 22:03, Spud. Ivan. <spudmixe@xxxxxxxxxxx> wrote:
>
> I'm trying to insert a serialized data into mysql, but I does
> mysql_real_escape_string() before inserting it.
>
> INSERT IGNORE INTO `table` (`value`) VALUES
> ('a:3:{s:12:"F1";s:6:"nombre";s:11:"F2";s:5:"F3";s:16:"F4";s:10:"F5";}');
>
> it result in
> INSERT IGNORE INTO `table` (`value`) VALUES
> (\'a:3:{s:12:\"F1\";s:6:\"nombre\";s:11:\"F2\";s:5:\"F3\";s:16:\"F4\";s:10:\"F5\";}\');
>
> and of course it's not a valid SQL sentence.
>
> Why can't I escape an SQL value with " ???
>
> Regards.
>
> I.Lopez.
>
>
Hello,
Actually, the problem is that you're not just escaping the content of the
insert, but the entire insert statement itself. You need to only escape the
data, not the query. To properly prepare your statement, you need something
like this:
$sql = "INSERT IGNORE INTO `table` (`value`) VALUES
('".mysql_real_escape_query($my_serialized_string)."');";
Note that the mysql_real_escape_string() function is *not* affecting the
apostrophes (') that delineate the value.
Michiel
