I want to run the following query with a single quoted value.
INSERT INTO web_camp_keywords (web_id, keyword) VALUES (195, 'abc'hotels')
I just want to add abc'hotels value. I used backslash, but it did not work.
INSERT INTO web_camp_keywords (web_id, keyword) VALUES (195, 'abc\'hotels')
How can I resolve this?
You can escape the single quote with another single.
INSERT INTO web_camp_keywords (web_id, keyword)
VALUES (195, 'abc''hotels')
But personally I think you should be using prepared statements with bind parameters.
Among other things, use of prepared statements with bind parameters is one of the easiest ways to help protect against SQL injection, the biggest source of security holes in web applications.
Like Chris Moutray and others mentioned, it would be best if you used pdo and prepared statements. Here is an example on how you could prepare a statement, provide the statement with values and then execute it. I left out the connection.
$statement = $pdo->prepare("insert into web_camp_keywords (web_id, keyword) values (:id, :keyword)");
$statement->bindValue(':id', 195);
$statement->bindValue(':keyword', "abc'hotels");
$statement->execute();
abc'hotelsinto a form instead enteredabc'; DELETE FROM web_camp_keywords;--or worse,abc';DROP SCHEMA public CASCADE;--? splat, there goes your entire database. See en.wikipedia.org/wiki/SQL_injection (Note: TheDROP SCHEMAtrick shouldn't work if your app connects with only the minimum required permissions - it shouldn't own the tables or be a superuser - but your app is probably the owner of the tables.)