This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I JSON decode a page with PHP, but sometimes there's a name like 'M'gladbach' or 'Côte d'Ivoire' and then the SQL sees the first single quote as a stop so it gives me the error after the 'Côte d' Can somebody help me with this problem ?
I know you can do 'Côte d''Ivoire' but as I get all the info from a API I can't put double quotes in it. Thanks a lot.
use double quotes
"M'gladbach"
The proper way to do it is
$item = "Côte d'Ivoire";
$escaped_item = mysqli_escape_string($item);
printf("Protected string : %s\n", $escaped_item);
Now it is safe to put e.g. in a database.
Related
This question already has answers here:
How do I execute PHP that is stored in a MySQL database?
(7 answers)
Closed 4 years ago.
EDIT: This question has been edited from the original
I have a string in a database with HTML and PHP variable's inside. Some of the HTML has double quotes as if I try to use single quotes the database escapes it by adding a quote in front of it like so: ' '.
I want to query the string and assign it to variable $x. And then use eval("\$x = \"$x\";"); to parse the PHP variable, but it seems the double quote is ruining the eval(), and the variables are not parsing.
Is there a way to allow PHP to read the variable?
I am aware, but anyone reading this should also be aware that using eval() can be very dangerous!
Any help would be greatly appreciated!
If your SQL string looks like this: myVar then php:
$myVar = 'hello!';
echo $$var;
If your SQL string looks like this: 3 + 5 then php:
eval($var);
In first option we use Variable Variables
In second option we use eval to evaluate code in string.
This question already has answers here:
Whats the difference between {$var} and $var?
(5 answers)
Closed 5 years ago.
I am a newbie and try to learn PHP especially INSERT INTO statement. I'm know that if we insert value for String we must use '' syntax. But i don't understand meaning of {} syntax for "title" and"link". Any guys can explain for me. Thanks a lot.
On Sql side there is no difference between '$title' or '{$title}' . but in php {$title} is a more complete syntax of $title, that allows one to use :
"this is post {$title}s"
"{$object->data}"
"{$array['data']}"
"{$array['data']->obj->plop['test']}"
The curly braces "escape" the PHP variable and are not passed to MySQL. With a simple variable like $title it doesn't make a difference but with something like $post['title'] it does. for more information check this
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
So I've got this problem where I can't seem to insert texts into my database which contain the following character: ' (as in for example: It's). I've had this problem before and I just stripped the symbol, but now I really need a solution and nowhere on the entire web or stack overflow I can't seem to find a decent and clear answer.
This is how my data is displayed:
HTML
<textarea name="text_from_form">
This is the kind of stuff I need and It's awesome (user input example)
</textarea>
PHP
<?php
$my_text = $_POST["text_from_form"};
$my_text_new = htmlentities($my_text);
$sql = "INSERT INTO tableName (text)
VALUES ('$my_text_new')";
?>
THE ERROR
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's awesome ')' at line 2
Thank you in advance for the help!
The htmlentities() function doesn't escape single quotes ' in default flag (ENT_COMPACT), use htmlentities($text, ENT_QUOTES) or function mysql_real_escape_string() or mysqli_real_escape_string() depending on which library you use.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I want to do an INSERT into a MySQL database using:
$sql = "INSERT INTO table (title1) VALUES ('$myVar')";
but the problem is $myVar can contain the single quotes (' symbols, e.g. in "idiot's"). Can somebody tell me how to handle any single quotes in the variable as a letter and not as a piece of code?
(I know there are posts about this in the forum already, but I do not really understand their solutions, so sorry for double posting)
You might be temped to replace each single quote with two of them.
like so
$myvar = "idiot\'s";
But resist the urge and escape it instead:
<?php $var = "Hello !! idiot's";
mysql_real_escape_string($var);?>
Or even better, use PDO
Use mysqli_real_escape_string like this:
$myVar= mysqli_real_escape_string($link,$myVar);
and then your query.
It is advisable to use PDO too!
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Escaping double quotes in php
In my database, the record is shoing like this is php's code and "called" a special code.
When I am trying to fetch this text from mysql database to my php page, it is showing up to this is php's code and
My code is simple:
$all_gallery_ph_sql = mysql_query("SELECT `path`,`name`,`title`,`details` FROM `gallery` WHERE `status`='1' AND `type`='myreference' AND `enable_status`='1' LIMIT {$startpoint} ,{$limit}");
echo $res['details'];
So how to resolve this issue. Please help me.
Thanks.
You can use htmlentities():
echo htmlentities( $gallerycontent['content'], ENT_QUOTES);