I have this query
VALUES ('$name', 'img\\" . $image['name'] . "', '$category')
it is for uploading an image, and I need to upload the image location hence needing
img\imagename.jpg
I am struggling with how to insert the backslash for the img\ as one leads to an error and double enters none into the database for some reason.
Thank you
Use prepared/parameterized queries. Then you don't have to worry about escaping data yourself, and are protected from SQL injection attacks.
This is the query you should have:
VALUES (:name, :img_name, :category)
Then, using PDO and SQL placeholders you can bind your values to each insertion point in your query to be sure things are properly escaped.
Related
I have an input field named "eventName". everytime I will put single quote (e.g uncle's birthday) it won't be inserted to the database. I mean no data at all will be posted to database. the system will just say that the event was saved but no data is being stored in the database.
You need to escape the single quote. The escape character used in this case of a '\', you can use inbuilt functions like mysqli_escape_string or add-slashes.
When you add a single quote in a variable and add it to a query, this will change your query by considering the single quote as a comment. e.g
Insert into Table ('name') values ('uncle's birthday');
Your query got ended at uncle and the part after that won't be considered, essentially this would result in failure. You should check what the error code as well depending on which database you are using.
Update:
$eventName = add_slashes($_POST['eventName']);
Rather than simply adding slashes, consider prepared statements, thus preventing SQL injection attacks. More details about this here: How can I prevent SQL injection in PHP?
It's good practice to escape values before writing them to your database.
$escapedName = mysqli_real_escape_string($_POST['eventName']);
This question already has answers here:
SQL injection that gets around mysql_real_escape_string()
(4 answers)
Closed 5 years ago.
So I know that using prepared statements with placeholders is pretty much the only way to protect yourself from SQL injection due to poor formatting of your queries. However, I also see many people suggesting that, although mysqli_real_escape_string is NOT safe, using it with single quotes around the variable is. For example (note the single quotes in the query):
$value1 = mysqli_real_escape_string($value1);
$value2 = mysqli_real_escape_string($value2);
$value3 = mysqli_real_escape_string($value3);
mysqli_query("INSERT INTO table (column1, column2, column3)
VALUES ('" . $value1 . "', '" . $value2 . "', '" . $value3 . "')";
So: when only dealing with integers and strings, would the above example be just as safe as if you were to use mysqli prepared statements and placeholders?
It is not mysqli_real_escape_string that is not safe, but the way PHP users tend to use it.
As long as you are setting a character set with set_charset() and always wrapping your escaped values in single quotes, despite the type, then technically the statement above would be safe.
However, as you can see, there are too much rules to follow - a condition that is too complex for an average PHP user. Therefore, this kind of manual formatting is an endless source of injections, simply because any rule (escaping, quoting, setting a charset) could be just forgotten to apply.
Besides, manual escaping just makes your code bloated. Why not to let a program to process your data properly for you?
This is why you have to have a mechanism to apply all the rules automatically. So prepared statements is such a mechanism.
What's wrong with a simple function like this, any reason you want to prefer your code to it:
$sql = "INSERT INTO table (column1, column2, column3) VALUES (?,?,?)";
some_query($sql, [$value1,$value2,$value3]);
I am trying to insert a data from a form which has about 1990 characters into mysql. How ever the insert is not working. when i var_damp the content of the variable is shows the correct content. When i set it to an empty string the insert works. I have done my research and still can't get ti to work. I am not trying to upload a file. This characters are from a textarea in my form.
Below is the insert code:
if (isset($_POST['val'])) {
$score = $_POST['val'];
$course = $_POST['course'];
$mysqli->query("INSERT INTO `evaluate` (`id`, `course`, `score`) VALUES (Null, '$course', '$score')");
Note: is score column has type TEXT in the database.
This is a common problem because most introductions to mysqli don't cover it right away even when it should be the first thing you learn. Inserting into any database, especially SQL, requires carefully escaping the values you're supplying. The way these are escaped varies depending on the platform, but the good news is that mysqli can handle it for you.
The key is using prepared statements:
$stmt = $mysqli->prepare("INSERT INTO evaluate (course, score) VALUES (?,?)");
$stmt->bind_param('ss', $_POST['course'], $_POST['val']);
$stmt->execute();
Now it's best to enable exceptions so that any errors are not ignored. Once in a while we all make little mistakes that can be a giant pain to track down if there isn't any warning about them. Exceptions make a lot of noise.
If you're just getting started with PHP and databases, you might want to evaluate using PDO which is significantly better than mysqli for a number of reasons, or a higher level database layer like Doctrine or
Propel which make using the database a lot more pleasant.
I have a single quote (') in the text and not escaping it meant that the SQL statement was been interpreted wrongly
The correct way to go, and you must always do this, is:
$score = $mysqli->real_escape_string($_POST['val']);
$course = $mysqli->real_escape_string($_POST['course']);
$mysqli->query("INSERT INTOevaluate(id,course,score)VALUES (Null, '$course', '$score')");
Why should we escape double quotes,single quotes creating queries in PHP? are there any particular benefits when doing that? or it is just a good practice?
It is required to make your queries work and secure. Consider the following code:
$name = "O'reilly";
$sql = "INSERT INTO users (name) VALUES ('$name')";
The result SQL would become like this:
INSERT INTO users (name) VALUES('O'reilly');
Which simply doesn't work. It needs to be properly escaped:
INSERT INTO users (name) VALUES('O\'reilly');
The same applies for other special chars.
Prevent SQL injection
Consider this query:
DELETE FROM users WHERE username='$username';
Where $username is obtained from $_POST. If an attacker managed to post string like ' OR 1; -- as the $username then the query becoming this:
DELETE FROM users WHERE username='' OR 1; -- ';
which is valid and the WHERE always evaluates to true and you will have to give good explanation to your angry users.
See also: Best way to prevent SQL Injection in PHP
If you do not escape quotes, The query ends at the place of single quotes. So your query will not be executed successfully!
E.g.
$qry = "SELECT * FROM user WHERE email='test#test.com'";
It works fine but if any one enters email='test'#test.com' then query ends at 'test' only and not find any rows with that one.
So it prevents also a sql injection!
s, to prevent from SQL injection attacks.
To know SQL injection
http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php
http://www.homeandlearn.co.uk/php/php13p5.html
To prevent PHP Sql injection
https://stackoverflow.com/a/60496/781181
I have a query that looks at a list of files inside a folder and enters the names of everything into a database so I can control the sort when showing the images.
Now I had an image today which had a name of image123('2).jpg. The single quote caused my query from crashing so how can I get around this? To make things simpler I have made example scenario
I have list of 4 variables which have the following strings
$myVAR1 -- "MyName IS Leo";
$myVAR2 -- "MyName IS 'Tiger";
I am running a SQL query to enter them into a database
$sql = "INSERT INTO `names` (`StringID`, `StringValue`) VALUES (NULL, ' $myVAR1');";
$sql2 = "INSERT INTO `names` (`StringID`, `StringValue`) VALUES (NULL, ' $myVAR2');";
So how can I detect that the single quote is inside the string $myVar2 and how can I ignore it when entrying into the database?
You need to escape your data. Use prepared queries with PDO so you don't have to worry about this.
You are currently wide open to SQL injection.
At a minimum, use mysql_real_escape_string(), assuming you are using the standard MySQL library in PHP. It takes care of quotes, among many other things, escaping them properly so they will be inserted into your database.