I would like to store the following string in the field of an SQLite table:
$string = "Einstein's equation";
Is there a function to do so in a safe way? Obviously
SQLite3::escapeString($string);
does not work. Instead it will return Einstein"s equation.
I read that in SQL one is supposed to use double single quotes for single quotes, i.e., Einstein''s equation. However, if I try to make it safe SQLite3::escapeString("Einstein''s equation") returns Einstein""s equation. Is that a bug of escapeString?
What would be the correct way to escape a string with single quotes properly?
Related
I'm running this exact query from PHP:
UPDATE commentedText SET title='ยง2.', content='<div class=\"pageParagraph\"><p>Test</p>\n</div>', last_changed='1430422172', image_banner_url='', active='', comments='[{"from":"0","to":"0","id":"1","CommentedText":"","comment":"New test with \"test\" :d"}]' WHERE id='5541d52beb2ea' AND appId='MyAppID' LIMIT 1
However when I read the row that was updated (either via PHP or MySQL Workbench), the slashes are gone. See for example
<div class=\"pageParagraph\"[..]
which is saved to the table as
<div class="pageParagraph"[..]
How come the slashes disappear?
They are disappearing before they even get to MySQL -- PHP is seeing the backslash as an escape for the double quote.
"\""
creates a string "
To keep the backslash use
"\\\""
The first escapes the second, and the third escapes the quote.
Mysql also uses backslash escapes for strings. So to use it in a query, you need to have it escaped yet again.
"\\\\\""
PHP's string will be \\"
Which in MySQL will create a string \"
Use proper escaping when dealing with queries. Applying things like addslashes() are easily defeated.
Depending on your library, mysql_real_escape_string(), mysqli_real_escape_string(), or best yet, prepared statements.
These methods of escaping will not modify the original data, so you don't have to worry about removing the escaping characters on render.
Is is possible to find a string is escaped twice or not using SQL Query (REGEXP) or using PHP?
Please help me on this. I tried more to find it but I'm not getting it anywhere.
$item = "Zak's Laptop";
$escaped_item = mysql_escape_string($item);
$escaped_item_twice = mysql_escape_string($escaped_item);
Here i need to find out that $escaped_item_twice is escaped twice. by their result string which is stored in db already. (i.e) i already stored some strings in db with double escape. I want to get those things and to use stripslashes() on that data. How can i get that data?
You cannot make a difference. Escaping is nothing more than adding some \s (in this case). It leaves no other trail. You cannot tell whether double escaping occurred or you simply wanted to escape an escape character (\\) that was meant to be there.
This question already has an answer here:
Closed 10 years ago.
Possible Duplicate:
Correct way to escape input data before passing to ODBC
the error I am getting from querying a ODBC query is this:
(pos: 72 '...M = 'Owen O'^Donavon' AND...') - syntax error
and when I try to escape it:
(pos: 73 '... = 'Owen O\'^Donavon' AND...') - syntax error
the ^ means that is where it is breaking
I have tried the following:
NAM = '".$var."'
And also this:
NAM = '".mysql_escape_string($var)."'
then I got desperate
NAM = \"".$var."\"
Where $var is any name that contains a ' in it.
if you need the whole query:
UPDATE TABLE SET COLUMN1 = 'ERR' WHERE COLUMN_NAM = '".mysql_escape_string($var)."' AND COLUMN7 = 0");
does anybody know how I can get the quote properly escaped?
To include a single quote within a MySQL string literal (which is delimited by single quotes), use two single quote characters. e.g.
'I don''t like it'
Effectively, When MySQL parses that, it will see the two single quote characters, and will interpret that as one single quote within a literal, rather than seeing the "end" of the string literal.
But (as you are finding out) when you have only one single quote in there, the MySQL parser has a hissy fit over it. Consider this example:
'I don't like it'
What the MySQL parser sees there is a string literal, five characters in length, containing 'I don'. Then MySQL sees that literal as being followed by some more tokens that need to be parsed: t like it. The parser does NOT see that as part of a string literal. That previous single quote marked the end of the string literal.
So now, the MySQL parser can't make heads or tails of what t like it is supposed to be. It sees the single quote following these tokens as the beginning of another string literal. (So, you could be very clever about what appears there, and manage to get something that MySQL does understand... and that would probably be even worse.)
(NOTE: this issue isn't specific to ODBC; this affects clients that make use of string literals in MySQL query text.)
One way to avoid this type of problem is to use bind variables in your query text, vs. string literals. (But with MySQL, what's happening anyway, is that escaping, what gets sent to the MySQL server (behind the scenes, so to speak) is a string literal.
Sometimes we DO need to include string literals in our query text, and we shouldn't be required to use bind variables as a workaround. So it's good to know how to "escape" a single quote within a string literal which is enclosed in single quotes.
I'm building an application around a database(which was built by someone else, so changing it is not an option). I'm querying the database for values which was working fine until I came across a column in the database that has a $ in it.
The code I'm trying to get to work is...
$avgprice=mysql_result($result1,$i,"avg$cwt");
Try to escape $ sign or use ' instead of ":
$avgprice=mysql_result($result1,$i, "avg\$cwt");
// or imho better way to do it:
$avgprice=mysql_result($result1,$i, 'avg$cwt');
PHP strings:
When a string is specified in double quotes or with heredoc, variables are parsed within it.
and
Note: Unlike the double-quoted and heredoc syntaxes, variables and escape sequences for special characters will not be expanded when they occur in single quoted strings.
Use single quotes ' instead of double quotes " to prevent PHP from trying to replace the assumed variable.
$avgprice=mysql_result($result1,$i,'avg$cwt' );
PS: Maybe consider using PDO or mysqli instead of the plain mysql_X functions.
Use single quotes.
$avgprice=mysql_result($result1,$i,'avg$cwt');
Double quotes interpolate (expand) variables. Single quotes do not. Good practice in PHP is to only use double quotes if you want to interpolate variables in the string. Single quoted strings are processed faster because the interpreter doesn't have to look for variables.
I have a string:
$departmentList = "value:'16:NAR,JR'S OFFICE;17:MFR'S OFFICE;18:NAR/MFR JOINT OFFICE'"
My problem is, the single quotes you can see in JR'S OFFICE and MFR's OFFICE are prematurely ending my string. I could switch my double quotes with single quotes and vice versa, but these are coming from user-entered values. If the user had entered a double quote, I would be in the same boat as I am now.
Any ideas on how to keep the integrity of this string while having single and double quotes throughout?
By the way, not sure if this matters for anything but - I'm putting my $departmentList string into a jQGrid to build the values for a select box.
Use addslashes to replace " with \" and ' with \'.
If you are using the input for database purpose better use mysql_real_escape_string()
$departmentList = "value:'16:NAR,JR'S OFFICE;17:MFR'S OFFICE;18:NAR/MFR JOINT OFFICE'";
$data = mysql_real_escape_string($departmentList);