This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 5 years ago.
here's my question:
What is a PHP variable/string without quotes? Below is the code I wrote and went wrong:
$email = $_POST['email'];
$query = "DELETE FROM email_list WHERE email = $email";
the correct code should be:
$query = "DELETE FROM email_list WHERE email = '$email'";
So, variable $email is not a string without quotes, even if it's what I input in the form?
Then I wrote a code in PHP:
echo($email."<br />");
echo("$email" ."<br />");
The result turned out to be same in the browser.
So why should I add another single quotes to enclose $email while it's already enclosed by double quotes?
Writing $email and "$email" outputs the same. Writing "'$email'" doesn't.
In the last case, you are adding a single quote before and after; which are needed by SQL to recognize a string.
If the creators of the SQL language had decided that strings had to be enclosed between # you would have to write "#$email#" if you want the SQL engine to recognize the string. It has nothing to do with how PHP treats or interpolates strings; it has to do with SQL.
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
How can I prevent SQL injection in PHP?
(27 answers)
Closed 3 years ago.
I'm working on a website, and I have encountered with an strange MySQL behaviour. I'm trying to use an MySQL Update Query with multiple WHERE Clauses.
$name = $_POST['username'];
$updatequery1 = "UPDATE OTP SET 'Project' = 'ANETSignupUsed' WHERE Name = '$name' AND HashedOTP = '$hashedotp' ";
$sqlconnection->query($updatequery1);
die("DONE");
Note that I've already defined $hashedotp.
When I try doing the same thing in MySQL Console it works pretty well, and I've made sure that the user used to define $sqlconnection has Update rights.
I've tried solutions DESCRIBED
HERE
HERE
I've spent hours searching about it, but to no avail.
Thanks a lot in advance!
Try this Remove single quote from your query
$updatequery1 = "UPDATE OTP SET Project = 'ANETSignupUsed' WHERE Name = '$name' AND HashedOTP = '$hashedotp' ";
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 4 years ago.
So I'm a beginner with PHP, and currently, I'm studying MySQL right now, and I'm having trouble with this particular code.
$connection = mysqli_connect('localhost','root','','loginapp');
$username = $_POST['username'];
$password = $_POST['password'];
$query = "INSERT INTO users(username,password) VALUES ('$username','$password')";
$result = mysqli_query($connection,$query);
if ($result)
echo 1
else if(!$result)
echo 0;
*Basically it echoes 1 if the username and password have been transferred to the database successfully, and 0 when it doesn't.
If I remember correctly, you only use quotes ' ' for strings and when passing variables, you don't need to encase them with ' or ". So, I tried removing the quotes from the variables in VALUES($username,$password) and it starts to echo 0 instead. Can anyone provide me an explanation as to why the variables have to be enclosed with ' or " inside the VALUES so I'd have a better understanding of how it works?
You password and username fields must be strings in mysql, so you'll need to put them between quotes on the query.
I suggest you to take a look at prepared statments too, it will be a better way to do this query.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 6 years ago.
I tried to create a script which will save all the IP address that came to my website (for adwords checking purposes). However when I try, the code doesnt save to database at all. Here is the code:
<?php
session_start();
// Create connection
$mysqli = new mysqli("localhost", "hashmicr_admineq", "monkeycool100", "hashmicr_sessionchecker");
date_default_timezone_set('Asia/Singapore');
$date = date("Y-m-d H:i:s");
$query = "INSERT INTO sessioncheck(ipaddress,date) VALUES (".$_SERVER['SERVER_ADDR'].", ".$date.")";
$mysqli->query($query);
/* close connection */
$mysqli->close();
?>
This is placed on the top of the PHP page.
Did I miss on any steps?
Need to add single quotes as both the field values contain non-numeric (other than 0-9) characters.
You can insert only numeric without single quotes.
Corrected SQL:
$query = "INSERT INTO sessioncheck(ipaddress,date)
VALUES ('".$_SERVER['SERVER_ADDR']."', '".$date."')";
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
This string works:
$sql = 'SELECT * FROM Bar_Info WHERE b_id=' .
$db->real_escape_string($_GET['b_id']);
However, this one does not:
$sql = 'SELECT * FROM Bar_Info WHERE BarLink=' .
$db->real_escape_string($_GET["BarLink"]);
b_id are variables and BarLink are names of bars some including hyphens. An example being: granite-city
Is there any reason the second example of code would not work?
You need to quote your SQL parameters:
$sql = 'SELECT * FROM Bar_Info WHERE BarLink=\'' . $db->real_escape_string($_GET["BarLink"]).'\'';
The first query likely works because you just use numbers, but the second one uses a string.
PS: Quoting is necessary in both cases as otherwise you are vulnerable to SQL injection.
strings in SQL queries have to be surrounded by quotation marks, while integers don't. So if "BarLink" contains strings, you'll have to add those:
$sql = 'SELECT * FROM Bar_Info WHERE BarLink="' . $db->real_escape_string($_GET["BarLink"]).'"';
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
I'm trying to change the content of a string (from user's input), I'd like to remove any character that will let my query fail. For example, if I insert a second name with a " ' " in it, the query will fail.
Since I have to then output these rows from the DB, I'm wondering if there's any way to insert the string in the database while replacing the special character with its HTML value so that when I'm outputting it, the browser will do the rest.
I'm leaving you an example:
$string = $_POST['user_input']; // Let it be Lol'd
$sql = "INSERT INTO table(field) VALUES('$string')";
Now without anything done to the string I'd get the query as:
INSERT INTO table(field) VALUES('Lol'd')
What I'm looking for is something to turn the ' into ' so that in the DB it's saved Lol'd but when I echo it it'll just print Lol'd
There are lot of solutions. You can use a function like htmlentities():
$string = htmlentities($_POST['user_input']); // Let it be Lol'd
$sql = "INSERT INTO table(field) VALUES('$string')";
To read the string from your MySQL table, use html_entity_decode()
try this
$string = str_replace("'","\'",$_POST['user_input']);
$sql = "INSERT INTO table(field) VALUES('$string')";