This question already has answers here:
Escaping single quote in PHP when inserting into MySQL [duplicate]
(8 answers)
Closed 7 years ago.
I am passing data from AJAX to my PHP. I just run a for loop to make my query. Problem with my data is that it contains single quote.
I am using single quote to enclose my parameters in the query. Query is something like
INSERT INTO myTable (column1.column2) VALUES('value1', 'value2'),
('value'1', 'value2');
I want to escape like
INSERT INTO myTable (column1.column2) VALUES('value1', 'value2'),
('value\'1', 'value2');
I just tried mysqli_real_Escape_String. It returns something like
INSERT INTO myTable (column1.column2) VALUES(\'value1\', \'value2\'),
(\'value\'1\', \'value2\');
So Query execution fails.
I don't think using htmlspeciachars is the right way for this.
Any suggestions?
You should definitely be using prepared statements. They're not that tricky.
However, if you're not going to make that jump then you just need to use mysqli_real_escape_string properly.
From the result you got, I'm guessing you wrapped the whole query in the mysqli_real_escape_string function. However you should just wrap the value in it.
i.e.
"INSERT INTO myTable (column1, column2) VALUES('value1', 'value2'),
('" . mysql_real_escape_string("value'1") . "', 'value2')";
Thats a pretty contrived way of doing things. But the idea is: only wrap the value in mysqli_real_escape_string().
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
i have this JSON string, which i want to insert into table. Here is my insert query:
$insert_sql = 'INSERT INTO yun_postmeta (post_id, meta_key, meta_value)
VALUES (5054, "_wc_free_gift_coupon_free_shipping", "a:1:{i:6;a:3:{s:10:"product_id";i:6;s:12:"variation_id";i:0;s:8:"quantity";i:1;}}");';
Of course, the query breaks because of the quotes ("). When i add backslash () in front of them, to escape, the query works and string gets inserted into the table, but for some reason my system doesn't work properly.
However, if i copy the JSON string and insert it manually into table, using phpmyadmin, system works normally.
Any idea what could be the problem here?
This sounds like encoding problem, but i don't have a clue what to do to solve it.
Thank you!
The SQL query should only use single quotes around values ie:
VALUES (5054, '_wc_free_gift_coupon_free_shipping', ...
So in PHP the string should be defined in double quotes to limit the amount of escaping you do as well as allowing variables to be added:
$insert_sql = "INSERT INTO yun_postmeta (post_id, meta_key, meta_value)
VALUES (5054, '_wc_free_gift_coupon_free_shipping', ... )";
As far as your values you should use mysqli_real_escape_string to handle escaping the double quotes:
http://php.net/manual/en/mysqli.real-escape-string.php
$escaped_json = mysqli_real_escape_string($con, 'a:1:{i:6;a:3:{s:10:"product_id";i:6;s:12:"variation_id";i:0;s:8:"quantity";i:1;}}');
$insert_sql = "INSERT INTO ... VALUES ( 5054, '_wc_free_gift_coupon_free_shipping', $escaped_json ...
This question already has answers here:
SQL injection that gets around mysql_real_escape_string()
(4 answers)
Closed 5 years ago.
So I know that using prepared statements with placeholders is pretty much the only way to protect yourself from SQL injection due to poor formatting of your queries. However, I also see many people suggesting that, although mysqli_real_escape_string is NOT safe, using it with single quotes around the variable is. For example (note the single quotes in the query):
$value1 = mysqli_real_escape_string($value1);
$value2 = mysqli_real_escape_string($value2);
$value3 = mysqli_real_escape_string($value3);
mysqli_query("INSERT INTO table (column1, column2, column3)
VALUES ('" . $value1 . "', '" . $value2 . "', '" . $value3 . "')";
So: when only dealing with integers and strings, would the above example be just as safe as if you were to use mysqli prepared statements and placeholders?
It is not mysqli_real_escape_string that is not safe, but the way PHP users tend to use it.
As long as you are setting a character set with set_charset() and always wrapping your escaped values in single quotes, despite the type, then technically the statement above would be safe.
However, as you can see, there are too much rules to follow - a condition that is too complex for an average PHP user. Therefore, this kind of manual formatting is an endless source of injections, simply because any rule (escaping, quoting, setting a charset) could be just forgotten to apply.
Besides, manual escaping just makes your code bloated. Why not to let a program to process your data properly for you?
This is why you have to have a mechanism to apply all the rules automatically. So prepared statements is such a mechanism.
What's wrong with a simple function like this, any reason you want to prefer your code to it:
$sql = "INSERT INTO table (column1, column2, column3) VALUES (?,?,?)";
some_query($sql, [$value1,$value2,$value3]);
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 8 years ago.
It's a little relative to the question I asked here
(PDO adds the apostrophe to the mySQL query) but this time column name is a parameter.
Not working PDO example would be like this:
"UPDATE tbl SET :COL1 = NOT :COL1;"
sure solution like this:
"UPDATE tbl SET $COL1 = NOT $COL1;" // works (but it's not PDO)
but why
"UPDATE tbl SET $COL1 = NOT :COL1;" // does not ??
while
"UPDATE tbl SET $COL1 = :VAL_COL1;" // is ok if I first get and negate COL1 value...
In a prepared statement, a parameter is a constant value that will be passed into the query without affecting how the query will be run. This allows the database to "prepare" the query ahead of time and figure out how it will be executed even without knowing the exact values that will be used.
Using this definition, a query like this does not have any parameters, and so the PDO and non-PDO versions of the query will look the same. Your working (first) example is as good as you're going to get. In fact, I'd claim that your first example actually is the PDO version.
To use a non-database example, a prepared statement is very much like a function in a programming language such as PHP. A function accepts parameters and uses their values, but (in normal circumstances) the parameters are not lines of code that will be run. The same code is run regardless of what the parameter values are - the function code itself is not changed by the parameters.
No. You cannot bind table names or column names as parameters. You can only bind values as parameters.
See more here: Can PHP PDO Statements accept the table or column name as parameter?
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
MySQL don't want to store unicode character
I writing a bbs php code, user reply something with some special unicode word, and I find my mysql code can not work.
var_dump it, the sql look like:
I use a Mac mysql client Sequel Pro, run this code, it said that:
No errors;0 rows affected.
But when remove the word "kiss", it said that:
No errors;1 rows affected.
Do you know why? And how I solve it?
Please notice, this user input is already process by mysql_real_escape_string.
Escape query string first then feed it to SQL statement. PHP has mysql_real_escape_string.
If mysql_real_escape_string doesn't work, then you may want to use prepare statements instead to avoid the issue entirely, like so:
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
The above example is quoted from PHP document.
I have a query that looks at a list of files inside a folder and enters the names of everything into a database so I can control the sort when showing the images.
Now I had an image today which had a name of image123('2).jpg. The single quote caused my query from crashing so how can I get around this? To make things simpler I have made example scenario
I have list of 4 variables which have the following strings
$myVAR1 -- "MyName IS Leo";
$myVAR2 -- "MyName IS 'Tiger";
I am running a SQL query to enter them into a database
$sql = "INSERT INTO `names` (`StringID`, `StringValue`) VALUES (NULL, ' $myVAR1');";
$sql2 = "INSERT INTO `names` (`StringID`, `StringValue`) VALUES (NULL, ' $myVAR2');";
So how can I detect that the single quote is inside the string $myVar2 and how can I ignore it when entrying into the database?
You need to escape your data. Use prepared queries with PDO so you don't have to worry about this.
You are currently wide open to SQL injection.
At a minimum, use mysql_real_escape_string(), assuming you are using the standard MySQL library in PHP. It takes care of quotes, among many other things, escaping them properly so they will be inserted into your database.