mysqldvibed

Sql query can not handle quotation marks


I try to achieve a small blog application using vibe.d. I have a form in this adress

http://localhost:8888/gönderiler/oluştur

User inputs post title and body. Than these information are stored in a database. Until now so far so good.

Let's say the user inputs a string with a quotation mark like this:

deneme'miz

Than sql query becomes like this:

INSERT INTO gonderiler (kullanici_no, baslik, icerik, created_at, updated_at) VALUES (1, 'Deneme', 'deneme'miz', '2017-09-25 12:29:30', '2017-09-25 12:29:30')

As you'd see there is 3 quotation mark signs.

    auto başlık = this.başlık_.replace("'","\'");
    auto içerik = this.içerik_.replace("'","\'");

    logInfo("%s %s", başlık, içerik);

    auto sqlKomutu = "INSERT INTO gonderiler (kullanici_no, baslik, icerik, created_at, updated_at) VALUES (1, '"
                     ~ başlık ~
                     "', '"
                     ~içerik ~
                     "', '"
                     ~ zaman ~
                     "', '"
                     ~ zaman ~
                     "')";

I tried to replace ' characters with \' but I think it doesn't work.

A friend of mine suggested using these characters.

merhaba "dünya"

But this time I get an error like this:

MySQL error: Unknown column 'deneme' in 'field list'

Update : solved

I putted double quotation marks as suggested.

    auto başlık = this.başlık_.replace("'",`''`);
    auto içerik = this.içerik_.replace("'",`''`);

Solution

  • Put an another quotation mark next to it, like so:

    'deneme''miz'

    If that doesn't work ,just put double quotation marks

    "deneme'miz"