This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I want to do an INSERT into a MySQL database using:
$sql = "INSERT INTO table (title1) VALUES ('$myVar')";
but the problem is $myVar can contain the single quotes (' symbols, e.g. in "idiot's"). Can somebody tell me how to handle any single quotes in the variable as a letter and not as a piece of code?
(I know there are posts about this in the forum already, but I do not really understand their solutions, so sorry for double posting)
You might be temped to replace each single quote with two of them.
like so
$myvar = "idiot\'s";
But resist the urge and escape it instead:
<?php $var = "Hello !! idiot's";
mysql_real_escape_string($var);?>
Or even better, use PDO
Use mysqli_real_escape_string like this:
$myVar= mysqli_real_escape_string($link,$myVar);
and then your query.
It is advisable to use PDO too!
Related
This question already has answers here:
How do I execute PHP that is stored in a MySQL database?
(7 answers)
Closed 4 years ago.
EDIT: This question has been edited from the original
I have a string in a database with HTML and PHP variable's inside. Some of the HTML has double quotes as if I try to use single quotes the database escapes it by adding a quote in front of it like so: ' '.
I want to query the string and assign it to variable $x. And then use eval("\$x = \"$x\";"); to parse the PHP variable, but it seems the double quote is ruining the eval(), and the variables are not parsing.
Is there a way to allow PHP to read the variable?
I am aware, but anyone reading this should also be aware that using eval() can be very dangerous!
Any help would be greatly appreciated!
If your SQL string looks like this: myVar then php:
$myVar = 'hello!';
echo $$var;
If your SQL string looks like this: 3 + 5 then php:
eval($var);
In first option we use Variable Variables
In second option we use eval to evaluate code in string.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
So I've got this problem where I can't seem to insert texts into my database which contain the following character: ' (as in for example: It's). I've had this problem before and I just stripped the symbol, but now I really need a solution and nowhere on the entire web or stack overflow I can't seem to find a decent and clear answer.
This is how my data is displayed:
HTML
<textarea name="text_from_form">
This is the kind of stuff I need and It's awesome (user input example)
</textarea>
PHP
<?php
$my_text = $_POST["text_from_form"};
$my_text_new = htmlentities($my_text);
$sql = "INSERT INTO tableName (text)
VALUES ('$my_text_new')";
?>
THE ERROR
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's awesome ')' at line 2
Thank you in advance for the help!
The htmlentities() function doesn't escape single quotes ' in default flag (ENT_COMPACT), use htmlentities($text, ENT_QUOTES) or function mysql_real_escape_string() or mysqli_real_escape_string() depending on which library you use.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
As the title says. If a user tries u upload a file with ' in title it throws error(it won't connect to server). Should I replace that sign during upload or something else. It just simple connecting to database
$b = "select * from doc";
$rez1 = mysql_query($b) or die("<span>error</span>");
I'd recommend using escaping methods instead of manipulating the input.
This ist the safest way to prevent SQL Injections. (And never tell the user, the technical details why something doesn't work, except you want some of them to exploit these exceptions)
Also, don't ever use the old and deprecated mysql* functions; learn PDO or mysqli instead.
If you were using mysql, then switch to mysqli and use this: mysqli_real_escape_string()
Otherwise, you could use a regex that repaces ' with \' -
preg_quote()
$string = "Something with 'quotes' ";
$res = preg_quote($string, "'");
echo $res;
will return:
Something with \'quotes\'
Which will cause no problem during the insertion.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I JSON decode a page with PHP, but sometimes there's a name like 'M'gladbach' or 'Côte d'Ivoire' and then the SQL sees the first single quote as a stop so it gives me the error after the 'Côte d' Can somebody help me with this problem ?
I know you can do 'Côte d''Ivoire' but as I get all the info from a API I can't put double quotes in it. Thanks a lot.
use double quotes
"M'gladbach"
The proper way to do it is
$item = "Côte d'Ivoire";
$escaped_item = mysqli_escape_string($item);
printf("Protected string : %s\n", $escaped_item);
Now it is safe to put e.g. in a database.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Difference between single quote and double quote string in php
Hey I'm having trouble inserting page content into my database.
I'm trying to store:
<p class=\"heading_large\"><?php echo $Topic2C2A[data]; ?></p>
Using this code:
$sql="UPDATE event SET
data='<p class=\"heading_large\"><?php echo $Topic2C2A[data]; ?></p>'
WHERE id='2'";
But when I look at the table all I see is:
<p class="heading_large"><?php echo ; ?></p>
I've obviously escaped the HTML with slashes, is there something similar I need to do with the PHP so $Topic2C2A[data] is displayed?
I would suggest you write your $sql as:
$sql="UPDATE event SET data='<p class=\"heading_large\">".$Topic2C2A[data]."</p>' WHERE id='2'";
Your issue is related to the fact PHP is processing variables inside " (double) quotes.
You can change quotes to ' (single) or another option is to change $Topic2C2A[data] to \$Topic2C2A[data].
Did you try mysqli_real_escape_string()? It should return a fully escaped String!