I hava a problem using SQL query in PHP, I've tried to find out what wrong about my code, anyway this code work well in SQL query via phpMyAdmin and show the result correctly
When I use the condition WHERE RoomNo ='D003' or any Room No. (I tried both 'D003' and "D003") it doesn't query anything at all
Please help.
Here is my code
onclick = "javascript: openListOfValue('ADD_LINE','Room','Select RoomNo, RoomType FROM Room WHERE RoomNo ="D003"','RoomNo,RoomType');
<script>
function openListOfValue(mode, table, initSQL, columnname){
window.open("listofvalue.php?mode="+mode+"&table="+table+"&initSQL="+initSQL+"&columnname="+columnname,"popup","width=600,height=350");
}
</script>
SQL string literals are quoted with single quotes.
As your HTML string literal uses double quotes, you are using single quotes for your Javascript string literal. In order to have single quotes inside this string you must escape them. In Javascript you use the backslash to escape a single quote:
onclick = "javascript: openListOfValue('ADD_LINE','Room',
'Select RoomNo, RoomType FROM Room WHERE RoomNo = \'D003\'','RoomNo,RoomType');"
Related
'...where T4."firstName"!=\'ERD\''
*I am sure you know but: ''\'ERD\'' means "ERD" inside single quotation marks.
This is a part of sql query but I want to use a variable instead of ERD. Having trouble with double and single quotation marks. How should I write the variable?
An option to prevent SQL injection is appreciated. I am using ODBC.
I would suggest concatenating it:
"SELECT * from table1 where firstName = '" . $ERD . "'";
i use mysql_real_escape_string php function for escape data recieved from a form. my code for recieve form data is :
$std_id = mysql_real_escape_string($_POST['std_id']);
$name = mysql_real_escape_string($_POST['name']);
$family = mysql_real_escape_string($_POST['family']);
for example if enter O'reilly string in name form field , this function work fine and my query done too.but when i go to mysql and my table , see that this string is inserted like O'reilly and not O\'reilly.
my query is :
$sql = "insert into student set
std_id = $std_id,
name = '$name',
family = '$family',
";
this happens when use addslashes() function too.
This is exactly what is supposed to happen. You want to insert the string O'reilly into the database, not O\'reilly, right?
The slashes merely tell MySQL that the next ' is supposed to be a literal apostrophe, and not the apostrophe/single quote denoting the end of the string.
PS: You might want to consider using PDO and prepared statements, which offer a much cleaner syntax.
That's the point. mysql_real_escape_string is only there to make sure the query syntax is correct. This query syntax would be incorrect:
INSERT INTO ... name = 'O'Reilly'
The string terminator ' is ambiguous/misplaced.
Escaped, this becomes:
INSERT INTO ... name = 'O\'Reilly'
Now the syntax is unambiguous, the ' after O is not the string terminator, it's a literal value. That's all mysql_real_escape_string is supposed to do. You do not want the value as "O\'Reilly" in your database, because that's garbage.
You should read The Great Escapism (Or: What You Need To Know To Work With Text Within Text).
I am trying to SQL a DB2 database (on an iSeries) using PHP and "DB2_exec"- not mysql.
I have these characters in my WHERE clause (variable $EncSSN) which cause the SQL statement to stop: ðIn*Éæng “"Ò×ÑRÈ•`
The SQL is constructed as:
select EENUM, EESSN
from EEMAST
where EESSN = '$EncSSN'
The field in the table EESSN contains encrypted values.
- I get no errors and no log entries. The html renders a blank page.
- I have tried replacing (str_replace) quotes, single quotes, period, etc with escape character '\'
- I can't use mysql_real_escape_string because I am loading the db2_connect resource.
If I change the SQL statement above's where to select a value from a different field, my html is rendered properly.
Can you think of anyway I can accomplish this?
Steven
Prepare the SQL and set the parameter for where clause using the array approach. Never ever attempt to build SQL queries by string functions.
try the addslashes() function http://php.net/manual/en/function.addslashes.php
or heredoc or nowdoc syntax
http://php.net/manual/en/language.types.string.php
you could also put the sql in a stored proc, but you may have the same issues for the parameter value and need to try one of the above.
I'm seeing some weirdness when I try to run a query using PDO. The following code shouldn't return results, but it does:
$safe_path = $this->_databaseConnection->quote($unsafe_path);
$sql = "SELECT * FROM routes WHERE path=$safe_path LIMIT 1";
$statement_handle = $this->_databaseConnection->query($sql);
var_dump($statement_handle->fetchAll());
I'm confused because there aren't single quotes around the $safe_path variable as there would be if I were using the mysqli extension - but it's working. If I enclose $safe_path in quotes, no results are returned. This seems strange to me.
You are already quoting the $safe_path variable with your first line in the sample:
$safe_path = $this->_databaseConnection->quote($unsafe_path);
That is why it works as it stands. If you attempt to add quotes yourself in the:
$sql = "SELECT * FROM routes WHERE path='$safe_path' LIMIT 1";
line then you would be doubling up the quotes and therefore breaking the SQL query.
Please see the manual page for quote() for more information:
PDO::quote() places quotes around the input string (if required) and
escapes special characters within the input string, using a quoting
style appropriate to the underlying driver.
The PDO quote method just add quotes in a string context.
http://php.net/manual/en/pdo.quote.php
PDO::quote() places quotes around the input string (if required)[...]
Aren't you adding quotes?
$safe_path = $this->_databaseConnection->quote($unsafe_path);
I have just read the following code but do not understand why there is " and also ' used. Thank you!
$sql='SELECT uid,name FROM users WHERE user="'.mysql_real_escape_string($_POST['login_name']).'" AND ..
There shouldn't be.
The "correct" $sql might look like this:
$sql="SELECT uid,name FROM users WHERE user='".mysql_real_escape_string($_POST['login_name'])."';
You use ' in SQL to say it's a string / literal.
I would suggest that you look into prepared statements, i don't trust mysql_real_escape_string nor mysql_very_real_seriously_this_is_the_real_escape_string, that php-syndrome is not to trust .
This is a PHP program to write an SQL query (and store it in a string).
The target SQL looks like this:
SELECT uid,name FROM users WHERE user="something" AND …
So in PHP terms:
$foo = 'SELECT uid,name FROM users WHERE user="something" AND …'
But you want to replace "something" with dynamic data. In this case the posted login_name — but made safe for MySQL.
$foo = 'SELECT uid,name FROM users WHERE user="' .
mysql_real_escape_string($_POST['login_name']) .
'" AND …'
A better approach is to use prepared statements.
The single quotes surround the SQL-statement ("SELECT..."), the double quote surround the data for the field "user" (though I'd use the quotes the other way around).
The query would look something like this (use single quotes):
SELECT uid FROM users WHERE user='snake'
To assign this query to the variable $sql, you'd have to enclose it in quotes, using double quotes this time, so PHP doesn't assume, the string would end before 'snake':
$sql = "SELECT uid FROM users WHERE user='snake'";
And as you won't always be asking for 'snake' statically, you exchange 'snake' with a dynamic name, exiting/entering the $sql-string by using double quotes again:
$sql = "SELECT uid FROM users WHERE user='" . $dynamic . "'";
If you only wanted one type of quotes, you'd have to escape the quotes that enclose the user-string.
the " will be literally included in the final mysql request so the request send to the mysql database will be:
SELECT uid,name FROM users WHERE user="loginname" AND ..
The single quotes are used to define your string in PHP. The double ones delimit your text field (login_name) in your SQL query.
This is done to avoid escaping the quotes of the query, if the same were used.
You can use single or double quotes for wrapping strings in php. However, there are differences.
With single quote strings, you cannot inline variables (eg: $a = 'hi $name'), nor can you escape characters (eg: $a = 'hi!\n$name').
Here is a nice summary: http://www.jonlee.ca/php-tidbit-single-quotes-vs-double-quotes/
Also on a side note.. Not sure if double quotes should be used for encasing strings in SQL. I do believe you should use single quotes in most DBs.
Looks like the single quotes are used for the PHP code what form the query and the double quotes are use for the query itself
More on Single/Double quotes
you can always echo out the $sql value to see how the Single/Double quotes look before executing the SQL against a DB.
something like:
$sql='SELECT uid,name FROM users WHERE
user="'.mysql_real_escape_string($_POST['login_name']).'";
// Print the SQL
echo $sql."<br />";