This question already has answers here:
How to search for slash (\) in MySQL? and why escaping (\) not required for where (=) but for Like is required?
(5 answers)
Closed 2 years ago.
I have an SQL query which searches for json strings, these json strings include backslashes within them to escape quotation marks.
The SQL query I am using works to find what I am looking for but I'm struggling to get a PHP mysqli query working due to having to have backslashes within the query which are literal and not escape characters, but also having to use backslashes to escape quotation marks within the mysqli query.
So the string I'm searching for is this, with the backslashes actually appearing within the string:
[insert=\"userform\",id=\"1\"]
The SQL query I use is:
SELECT id, name FROM `posts` WHERE content LIKE '%[insert=\\"userform\\",id=\\"1\\"]%' ESCAPE "|"
This works to find the rows I want by changing the default excape character. But then when I try to use the same query in PHP I have to escape the single quotes around the LIKE statement causing issues.
$mysqli->query('SELECT id, name FROM `posts` WHERE content LIKE \'%[insert=\\"userform\\",id=\\"1\\"]%\' ESCAPE "|"');
I'm trying to use mysqli_real_escape_string as I think that will do what I need, but haven't been able to get it right yet, what am I doing wrong?
It's because php escape character is backslash, you need to escape them too like.
$mysqli->query('SELECT id, name FROM `posts` WHERE content LIKE \'%[insert=\\\\"userform\\\\",id=\\\\"1\\\\"]%\' ESCAPE "|"');
A good solution to check it's to echo the query before execute to check if the final result is good.
Related
This question already has answers here:
How to escape underscore in the string query in hibernate and SQL?
(2 answers)
Closed 1 year ago.
I have one MySQL query which is using LIKE for matching a string with one of my tables columns, and it's working fine in most of the scenarios.
select * from TableName where Column like "%STRING%"
But No I have one group of records that have "_0" in it. in this case, I get a get query something like this.
select * from TableName where Column like "%_0%"
in this case, MySQL is taking _ as a wildcard and skipping the first index from the string
Now my question is, is it possible to make this search work as it is, any way to tell MySQL it's not ( _ ) wildcard, So search for the string.
I will really appreciate your help.
Thanks in advance.
Query Result Image
You can use a backslash to escape it:
where Column like '%\_0%'
Or use your own escape character:
where Column like '%$_0%' escape '$';
This question already has answers here:
How to insert a value that contains an apostrophe (single quote)?
(13 answers)
Closed 7 years ago.
In my database, I have a column named storeName with a value called Joe's Kitchen.
When user enters Joe's Kitchen, I would store it in a variable named storeName and do a select query on it like this: "SELECT * FROM shops WHERE storename='".$storeName."'". Problem now is that the value contains apostrophe, how should I go about this ?
I have tried the method below but it is not working
$storeName = mysqli_real_escape_string($db->getConnection(),$_POST["storeName"]);
Escape the apostrophe in query by writing two apostrophes
Example
SELECT * FROM shops WHERE storename='Joe''s Kitchen' //added 2 apostrophes
this is not a recommended method since it has serious security issues, try to use pdo or parameterized queries
In your SQL query, you can replace the single quote ' by `. Then the name can contain single quotes...
You can do this way also
SELECT * FROM shops WHERE
storename="Joe\'s Kitchen"
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Today, mysql_real_escape_string() is escaping single quotes AND double quotes
I understand that single quotes and backslash have special meaning so they need to be escaped if we want them to be interpreted for their literal meaning.
As far as I understand , double quotes are not allowed in mysql queries to represent strings(if this assumption is correct, is this the only reason to escape them ?) and we should use single quotes instead to represent strings.
And what about NULL? Looking for specific examples to understand why double quotes and NULL need to be escaped.
Just to add, I've already searched here on stackoverflow and I see most examples refer to single quotes which I already understand... But I need to understand the reasoning behind double quotes and I cannot find any examples for that...
In default mode, MySQL allows for string literals to be enclosed in single quotes OR in double quotes.
SELECT 'single', "double"
For compatibility with other DBMS, and just in case MySQL mode is set to ANSI_QUOTES, most SQL authors use single quotes to specify string literals. There's really no advantage to using double quotes. (And why write a query in a way that will cause the query to be "broken" when someone changes a variable in their MySQL server session.)
So, the short answer is that double quotes do not need to be escaped in all cases, e.g.
SELECT 'Bob cried "Wheeeee!"'
They do need to be escaped in some cases:
SELECT "Sue screamed \"Stop!\""
But it doesn't hurt to escape the double quotes in any case:
SELECT 'Bob cried \"Wheeeee!\"', "Sue screamed \"Stop!\""
From manual; The mysql client truncates quoted strings containing NUL characters if they are not escaped
If you want to insert binary data into a string column (such as a BLOB column), you should represent certain characters by escape sequences. Backslash (“\”) and the quote character used to quote the string must be escaped. In certain client environments, it may also be necessary to escape NUL or Control+Z. The mysql client truncates quoted strings containing NUL characters if they are not escaped, and Control+Z may be taken for END-OF-FILE on Windows if not escaped. For the escape sequences that represent each of these characters, see Table 9.1, “Special Character Escape Sequences”.
Ref: http://dev.mysql.com/doc/refman/5.0/en/string-literals.html#character-escape-sequences
And you don't need to escape double-quotes, but I think this is not a proper way while playing with strings.
# intead of this
INSERT INTO table (1, "John's cats")
# preferred by many programmer
INSERT INTO table (1, 'John\'s cats')
# but needs to escape here
"INSERT INTO table (1, \"John's cats\")"
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 8 years ago.
$time=date("G:i:s j.n.Y");
$wholetime="$time";
mysql_query("INSERT INTO rivase_chat_posts SET sender='$user', content='$msg', time='$wholetime', 'to'='$affectuser'");
$msg="";
I am doing a private chat thing. That is my code. It results this error:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near ''to'='gs'' at line 1 ($user="gskartwii", $msg="HI",
$affectuser='gs')
For column names, use backticks rather than single-quotes:
`to`='$affectuser'
Single quotes are there for strings only. Backticks (normally left of the number 1 on your keyboard) are the things to use for column or table names in mysql.
Edit: As Michael Berkowski correctly points out, the reason you have to do this for the column name is because to is a reserved word in mysql - which is a lovely way of saying that it is a special word that mysql sees to mean something within a query normally. on that note, it really might not be the best idea to use the reserved words as columns in your table - you will have to backtick them in every single instance that you use them. You might want to consider renaming it to something like toUser which will probably make the rest of your project easier to SQL out :)
You put the 'to' between single quotes. Column names are not quoted, or between backquotes. Single quotes are for strings. You cannot update a string, hence SET 'to'='user' is an error.
INSERT INTO rivase_chat_posts
SET `sender`='$user', `content`='$msg', `time`='$wholetime', `to`='$affectuser'
UPDATE: comments say to is a reserved word and should always be escaped - using backquotes.
To is a reserved word. Escape it:
INSERT INTO rivase_chat_posts
SET sender='$user', content='$msg', time='$wholetime', `to` ='$affectuser'
Can someone explain what is the difference between using mysql_real_escape_string on a string or wrapping `` around the column.
For example "insert into table (``column``) values ('$string')"
or
$escapestring = mysql_real_escape_string($string);
"insert into table (column) values ('$escapedstring')"
What is the difference between these two and what should I use? Thanks.
There's a difference between the backtick ` and the single quote '.
The backtick is intended to escape table and field names that may conflict with MySQL reserved words. If I had a field named date and a query like SELECT date FROM mytable I'd need to escape the use of date so that when MySQL parses the query, it will interpret my use of date as a field rather than the datatype date.
The single quote ' is intended for literal values, as in SELECT * FROM mytable WHERE somefield='somevalue'. If somevalue itself contains single quotes, then they need to be escaped to prevent premature closing of the quote literal.
Those two aren't related at all (as far I know anyway)
From the manual : http://php.net/manual/en/function.mysql-real-escape-string.php
Escapes special characters in the
unescaped_string, taking into account
the current character set of the
connection so that it is safe to place
it in a mysql_query().
So essentially what it does is, it will escape characters that are unsafe to go into mysql queries (that might break or malform the query)
So o'reily will become o\'reily