MySql Code
SELECT replace(replace(v.image_path,"\\","/"),"%s","_120") as image_path
FROM `artistkr_fox`.`phpfox_video` v;
My phpfox service file query string
$aVideos = $this->database()->select("REPLACE(REPLACE(v.image_path,'\','/'),'%s','_120') as image_path" . Phpfox::getUserField())
->from($this->_sTable, 'v')
->execute('getSlaveRows');
This query can't return any value
error throw in this code "REPLACE(v.image_path,'\','/')"
You need to make sure you are not mixing the quotes of the PHP string and your SQL query.
You can do this by either by escaping them using backslashes in front of your quote (\')
$query = 'SELECT replace(replace(v.image_path,"\\","/"),\'%s\',\'_120\') as image_path FROM artistkr_fox.phpfox_video v';
or by using double quotes (") for the PHP string and single quotes (') for your SQL query:
$query = "SELECT replace(replace(v.image_path,'\\\\','/'),'%s','_120') as image_path FROM artistkr_fox.phpfox_video v";
(Note when using double quotes for the PHP string, you need to escape the backslashes in y our SQL query)
Which one you choose depends on your preference and the situation (e.g. complexity of the query).
Related
I have the following query in a php file which works fine:
$query = "SELECT `name` FROM users WHERE name='".mysqli_real_escape_string($link,$name)."'";
I got it in a tutorial so I'm trying to wrap my head around the syntax. Specifically this part:
'".mysqli_real_escape_string($link,$name)."'
If the function mysql_real_escape_string() returns a string, why are double quotes needed? Also, I understand in php the . means concatenation so is this code adding to the empty string""?
Please help, I'm really screwed up on this one.
The double quotes are needed because this is using string concatenation to compose a query. This is a really messy way to do this sort of thing as the mysqli driver has support for placeholders:
$query = "SELECT `name` FROM users WHERE name=?";
The ? represents where your data will go. You then use the bind_param method to add your $name value in there.
If you're disciplined about using placeholders you won't have to worry about quoting or proper escaping.
The single quotes identify strings in the SQL query that you are building.
Your query will result for example in:
SELECT `name` FROM users WHERE name='John';
(note the quotes surrounding John)
The backticks are used to scape objects names.
There are two types of quotes in most computer programs, ' and ". You use two of the same type to enclose a string, like 'abc' or "def". However, when you need quotes inside the other quotes, you can put '"'. The syntax does not respond to the quote of different type. The same principle applies in here.
In this case, the line of code can be represented as
`$query = "SELECT `name` FROM users WHERE name=''";`
but the single quotes needs content in them. That gets added by the concatenation.
There is no empty strings in this code. The last "'" is just closing the single quoted string that was opened in name='". In mysql queries, strings must be enclosed in quotes and the here the function returns string which is enclosed in single quotes. This can be clarified like this:
$name = mysqli_real_escape_string($link,$name);
$query = "SELECT `name` FROM users WHERE name='".$name."'";
Suppose if the variable $name = 'Joffery'
Then the $query variable will be printed like this
SELECT `name` FROM users WHERE name='Joffery'
Using simple function:
mysqli_query($link, 'update table set field = \'variable text with \" slash\' ');
$res = mysqli_query($link, 'select field from table');
$res = mysqli_fetch_array($res);
when printing the result I have string without slash like: 'variable text with " slash'.
When I preview the table in my localhost mysql client (SequelPro) I see that there are no slash also.
Is it normal that mysql is removing this slash on insert automaticaly? Is it a way to prevent this? I need this slash there. Also I cannot use addslashes later after getting the value from db.
Magic quotes are disabled on my php server.
The slashes you are adding are used to escape the quotes in the php string. You should add 3 slashes \\\" so that the first two make a backslash and the third one escapes the quote.
This is because PHP is escaping the ". You need to escape the backslash too, like this:
mysqli_query($link, 'update table set field = \'variable text with \\\" slash\' ');
Or you could use addslashes().
$query = addslashes('update table set field = \'variable text with \" slash\' ')
mysqli_query($link, $query);
I assume you want to keep the second backslash, as the first and third are needed to escape the single quotes. To keep the backslash, simply escape the backslash:
mysqli_query($link, 'update table set field = \'variable text with \\" slash\' ');
You don't need to escape the double quote because this string is enclosed by single quotes.
you have to use double slach \\
try that:
mysqli_query($link, "update table set field = 'variable text with \\" slash' ");
I have a string:
$departmentList = "value:'16:NAR,JR'S OFFICE;17:MFR'S OFFICE;18:NAR/MFR JOINT OFFICE'"
My problem is, the single quotes you can see in JR'S OFFICE and MFR's OFFICE are prematurely ending my string. I could switch my double quotes with single quotes and vice versa, but these are coming from user-entered values. If the user had entered a double quote, I would be in the same boat as I am now.
Any ideas on how to keep the integrity of this string while having single and double quotes throughout?
By the way, not sure if this matters for anything but - I'm putting my $departmentList string into a jQGrid to build the values for a select box.
Use addslashes to replace " with \" and ' with \'.
If you are using the input for database purpose better use mysql_real_escape_string()
$departmentList = "value:'16:NAR,JR'S OFFICE;17:MFR'S OFFICE;18:NAR/MFR JOINT OFFICE'";
$data = mysql_real_escape_string($departmentList);
$url = "What's up with "You doing this"";
$q = sprintf ("update user set url='%s'",$url);
pg_query ($db_conn, $q)
I want to insert everything into the database exactly as the user wants. I don't want to escape anything. The above would fail for me because of the quotes. I know single quotes have to go around the postgresql string (url='%s'). Since there are double quotes in my url string the query will not update because of it. I'm sure I could do a string replace for all double quotes and make them single quotes but what if the user really wants double quotes. And I cannot use string replace to put a backslash because according to the postgresql docs the slash will be deprecated soon (http://www.postgresql.org/docs/8.1/interactive/sql-syntax.html) plus that goes against inserting only what the user inputted.
What do people suggest I do?
Use pg_escape_string to escape quote characters in your string.
Use parametrized queries:
pg_query_params
(
$db_conn,
"UPDATE user SET url = $1",
array('What's up with "You doing this"')
);
escape your double quotes in the text like this
$url = "What\'s up with \"You doing this\"";
Forgive me, I'm a beginner. The following code returns a parse error:
$query = "INSERT INTO scenario_needgames VALUES ("$id", "Battle of the Bulge")";
the query builder in phpMyAdmin gave me this slightly modified string that works:
$query = "INSERT INTO scenario_needgames VALUES (\"$id\" , \"Battle of the Bulge\");";
but I'm confused as to why the quotes need to be escaped when they're actually part of the query syntax, and not - say - part of a title or string? The introductory book I'm learning from doesn't include those for such simple strings.
The $id value is 7 digits, 4 letters and then 3 numbers if you're curious.
Thank you.
Double quotes need to be escaped within a double quoted string, alternatively you can use a single quoted string and not have to escape the double quotes, but then you cannot directly interpolate variables, you have to use concatenation instead:
$query = 'INSERT INTO scenario_needgames VALUES ("' . $id . '", "Battle of the Bulge")';
Alternatively, just replace your inner double-quotes with single-quotes:
$query = "INSERT INTO scenario_needgames VALUES ('$id', 'Battle of the Bulge')";
I would suggest using mysql_real_escape_string to correctly and safely quote strings. You might also like to have a look at using prepared statements instead with PDO or mysqli.
They are escaping because of PHP, not MySQL. You must escape " characters in "-" string because " character can be interpreted as the end of the string.
Look at the code coloring in your answer. The first string is colored wrongly: the parts in " and " are colored like code, not string
It's PHP which return a parse error.
From the point of view of PHP, a string is a sequence of characters delimited by quotes. One at the beginning and one at the end.
When you want to put quotes inside the string, you need to escape them, so PHP knows the internal quotes are not the end of the string.
Unless you escape them, PHP will return a parse error because the thing you're assigning to $query is not a valid string (with a quote at each end, only)