Is this the right way to escape a string just in case or I can insert string like this without additional escaping?
$filenamefordb = preg_replace('/[^A-Za-z0-9а-яА-Я_\.\-]/u', '', $filenamefordb);
$query = "INSERT INTO file SET filename='$filenamefordb";
I don't use mysqli_escape because I also need name without any quotes in another place
Why don't you escape the string using PDO?
<?php
$conn = new PDO('sqlite:/home/lynn/music.sql3');
/* Complex string */
$string = "Co'mpl''ex \"st'\"ring";
print "Unquoted string: $string\n";
print "Quoted string: " . $conn->quote($string) . "\n";
?>
This will output
Unquoted string: Co'mpl''ex "st'"ring
Quoted string: 'Co''mpl''''ex "st''"ring'
Reference:
http://php.net/manual/it/pdo.quote.php
you can escape it with a generic php function:
$filenamefordb = mysql_escape_string ($filenamefordb);
$query = "INSERT INTO file SET filename='$filenamefordb";
Related
I want to get date using date function but the date should comes between " ". I want to assign " to a variable so that i can get my output by combining the two variables:
$td=""";
$td2="".date("m/d/Y")."";
$td3=""";
$date="$td"."$td2"."$td3";
Please help...?
If you don't want to escape them, just wrap them in a single quote instead:
$td = '"';
$td2 = '"'.date("m/d/Y").'"';
$td3 = '"';
$date = $td.$td2.$td3;
You need to escape them
$td = "\"";
With the backslash, the character is treated as a character by any means necessary and is ignored by php, it wont be used to limiting strings or someting like that.
Try
$td=""";
OR
$td = "\"";
Use backslash or single quotes .
You have to use "\" before " in your $td and $td3 variable.
$td="\"";
here is a code where I don't understand why the php code where the output is: This is a $string with my $name in it. This is a cup with my coffee in it.
<?php
$string = 'cup';
$name = 'coffee';
$str = 'This is a $string with my $name in it.';
// will not echo the value of the strings variable because there in ' '
echo $str. "\n";
// this function is like writing the php code outside of it
// it gets a string with php statments (;)
// because the code is written in a string
// if it is written it double quotes you have to escape $ and "
// and if it is written in single quotes you have to escape '
eval("\$str = \"$str\";");
//it is not like this, why?????
//eval('$str = "$str";');
// and not like this, why???????
//$str = "$str" ;
echo $str. "\n";
?>
why doesn't the statement : eval('$str = "$str";'); or the statement: $str = "$str" ; do the same thing as the statement: eval("\$str = \"$str\";"); in this code
A Double quoted string evaluates all the variables inside it. A Single Quoted String does not.
Now to this statement
eval("\$str = \"$str\";");
first \$str -> the $ is escaped, so its a literal, and not the $str variable
second $str -> the $ is not escaped and the whole string is in double quotes, so this will become
$str = "This is a $string with my $name in it."
Now this PHP code is evaluated, which assigns the string on right to the variable on left. Hence $str becomes what This is a cup with my coffee in it.
Eval should be avoided.
//it is not like this, why?????
//eval('$str = "$str";');
Because the input string might contain single quotes, so you can't use them to start and end the string.
// and not like this, why???????
//$str = "$str" ;
Because you want to evaluate a string, and the above is no string.
I don't see the point of this example, just use double quotes:
<?php
$string = 'cup';
$name = 'coffee';
$str = "This is a $string with my $name in it.";
echo $str. "\n";
?>
In the first eval statement:
eval("\$str = \"$str\";");
As second $ is not escaped, and you are using double quotes over the entire arguement, so second $str's value is passed to the eval, and the argument of eval becomes:
eval("\$str = \"This is a $string with my $name in it.\";");
which when evaluated, becomes:
$str = "This is a $string with my $name in it.";
Which assigns 'This is a cup with my coffee in it.' to $str.
In the second eval:
eval('$str = "$str";');
the statement evaluated is:
$str = "$str";
Which is same as your third statement. When this statement is executed, it converts non-strings to strings. In this case, $str is already a string, so this statement has no effect on the value of $str.
Hope this helps. :)
Why would you need eval in this context ?
Variables inside single quotes will not be interpreted , Instead put it under double quotes.
$str = "This is a $string with my $name in it."; //<--- Replaced single quotes to double quotes.
Secondly.. If you are really worried about escaping why don't you make use of a HEREDOC Syntax
<?php
$string = 'cup';
$name = 'coffee';
$cont=<<<ANYCONTENT
This is a $string with my $name in it. This text can contain single quotes like this ' and also double quotes " too.
ANYCONTENT;
echo $cont;
OUTPUT :
This is a cup with my coffee in it. This text can contain single quotes like this ' and also double quotes " too.
I have a variable $teste = hiiiii
I need to put the variable inside a quote and a double quote.
Like this:
"'$teste'" for the value be this "'hiiiii'"
I'm trying concatenation but not working. How do that???
You can escape your quotes:
echo "\"'$teste'\"";
will print out: "'hiiiii'"
You can do it like this:
$result = '"\'' . $teste . '\'"';
this will result in: "'hiiiii'".
Demo
Try before buy
Using basic cheat of single and double quote
$test = 'hi';
echo '"'."'".$test."'".'"';
echo "'".'"'.$test.'"'."'";
Let's say I have these two variables
$number = 1;
$word = "one";
and I want to use them in a pg_query.
This is what I've got:
$result = pg_query($con, 'UPDATE a SET z = ARRAY[{$number}] WHERE word = {pg_escape_literal($word)}');
But it doesn't work..
To use string interpolation, you have to use double quotes:
$x = 3;
"This works: $x" // This works: 3
'This does not: $x'; // This does not: $x
You also can't interpolate function calls into strings like you're attempting with {pg_escape_literal($word)}. You'll need to escape the variable before interpolating it into the string:
$word_esc = pg_escape_literal($word);
$result = pg_query(
$con,
"UPDATE a SET z = ARRAY[$number] WHERE word = $word_esc"
);
You could also use sprintf:
$result = pg_query(
$con,
sprintf(
"update a set z=ARRAY[%d] where word = %s",
$number,
pg_escape_literal($word)
)
);
But the best and safest is to use pg_query_params function, as you don't escape any parameter. And it is very easy to forget and expose your site to SQL-injection attacks.
$result = pg_query_params(
'update a set z=ARRAY[$1] where word = $2',
array($number,$word)
)
Use double instead of single quotes: Double quoted strings expand variables into their values.
Basically I have a block of html that I want to echo to the page and the html has the $ sign in it and the php thinks it is a variable so $1 is treated as the variable not the value and is not displayed.
There is the standard answers here but none are working: PHP: How to get $ to print using echo
My next idea is to split the string at the $ and echo each part out.
Here is the code I have tried echo and print.
foreach ($rows as $rowmk) {
$s = $rowmk->longdescription;
//$s = str_replace('$', '#', $s);
$s = str_replace('$', '\$', $s);
//echo "$s" . "<br>";
print $s;
}
All help appreciated.
OK I solved by using the character code value for $
foreach ($rows as $rowmk) {
$s = $rowmk->longdescription;
$s = str_replace('$', '$', $s);
echo $s . "<br>";
}
I figured I should just post it anyway.
Thanks,
Mat
Or you could echo string literal using single quotes...
<?php
echo 'Give me $1';
?>
will print:
Give me $1
PHP string docs:
http://php.net/manual/en/language.types.string.php
Side note - the link you provide has many answers that would work perfectly. How are you applying them in a way that doesn't work?
Just use a single quoted string.
$foo = 'Hello';
echo '$foo'; // $foo
echo "$foo"; // Hello
You're doing it in the wrong place. Variable interpolating is done when double quoted string literal (which in your case is stored within $rowmk->longdescription is daclared. Once it's done, you can't really do anything to get your $s back.
Solution, do proper escaping, when you declare the string.
I assume you read your rows from a database. Dollar Signs inside these strings will not be interpolated by php. Here's a little test script to try it out:
// you'd first have to set the three variables according to your database
$dbh = new PDO($DSN, $DB_USER, $DB_PASS);
// create a table and insert a string containing a dollar sign
$dbh->exec('CREATE TABLE IF NOT EXISTS some_text ( longdescription VARCHAR( 255 ))');
$dbh->exec('INSERT INTO some_text ( longdescription ) VALUES ( "10 $" )');
// query all the data from the table
$query =$dbh->query("SELECT * FROM some_text");
$rows = $query->fetchAll(PDO::FETCH_CLASS);
// loop over all the rows (as in your example) and output the rows
// no problem at all
foreach ($rows as $rowmk) {
$s = $rowmk->longdescription;
echo $s . "<br>";
}
You can use "\$"
ex:
"\$stringvalue"
I did it using this
echo "$" . "VariableName";