This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How do I handle single quotes inside a SQL query in PHP?
I had written the following code to fetch a data from a mysql table:
$clg=$row['text'];
$query1 = "SELECT * FROM user WHERE text='$clg'";
$result1 = mysql_query($query1,$con) or die(mysql_error());
$count=mysql_num_rows($result1);
echo $count;
But the text field has a single quote(') which closes the single quotes in $query1, hence resulting in mysql syntax error. How can I rectify this?
$clg=$row['text'];
$query1 = "SELECT * FROM user WHERE text='" . mysql_real_escape_string($clg) . "'";
$result1 = mysql_query($query1,$con) or die(mysql_error());
$count=mysql_num_rows($result1);
echo $count;
But you should know that mysql_* functions family will be deprecated soon.
Please read the red box here located on php.net website.
<?php
function escape($string) {
if(get_magic_quotes_gpc()) $string = stripslashes($string);
return mysql_real_escape_string($string);
}
write this function and call it
escape($clg);
for prevent every mysql syntax error and sql injection.`
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
If you create a variable inside a if statement is it available outside the if statement?
(4 answers)
How to replace "if" statement with a ternary operator ( ? : )?
(16 answers)
If variable equals value php [duplicate]
(4 answers)
Closed 2 years ago.
There are a lot of examples on SO of using str_replace to modify a query that uses variables in MYSQL but I can't find one that solves my problem.
I have the following legacy query that I'm debugging written in PHP and MySQL.
Somewhat simplified it is:
$sql = "SELECT * from MOVIES WHERE cat = '$cat'";
In the event that cat has a certain value, say, "action" I want to check for "adventure";
Let's say you start with query:
$cat = "action";
$sql = "SELECT * FROM MOVIES WHERE cat='$cat'";
I'm trying to modify the query with:
$needle = "cat=".$cat;
$altcat = "adventure";
$altwhere = "cat=".altcat;
$sql = str_replace($needle,$altwhere,$sql); //NOTHING GETS REPLACED...NOT MATCHING Needle
How can I do this? I'm thinking the problem has something to do with use of spaces or apostrophes in the sql string but can't get it to work.
Thanks for any suggestions.
You want to replace "cat='".$cat."'" with "cat='adventure'", not "cat=".$cat with "cat=adventure".
(Though you are inconsistent in saying if there are spaces around the =.)
But you should not do this and should use a placeholder instead.
I would not try to do string substitution on the SQL query. Instead, just use query parameters.
$cat = 'action'; // suppose this is the input to your program
$sql = "SELECT * from MOVIES WHERE cat = ?";
if ($cat == 'action') {
$cat = 'adventure';
}
$stmt = $db->prepare($sql);
$stmt->execute( [ $cat ] );
This question already has answers here:
How to include a PHP variable inside a MySQL statement
(5 answers)
Closed 2 years ago.
I was wondering if it was possible to get a value from mysqli query and use it in the same page, if so how would I do that here?
$sql2 = "select artistName from ARTIST";
$result2 = $conn->query($sql2);
if($result2->num_rows != 0){
echo "<p>Artist: <select artistname=\"artistName\">";
while ($val2 = $result2->fetch_assoc()) {
echo "<option value='$val2[artistName]'>$val2[artistName]</option>";
}
echo "</select></p>";
}
I am trying to make this request below:
$addArt = "update ARTIST set Aname='$fileName' where artistName='$val2[artistName]'";
where filename is an arbitrary file
Multiple issues:
Mixed quotes:
"<option value='$val2[artistName]'>$val2[artistName]</option>"
"update ARTIST set Aname='$fileName' where artistName='$val2[artistName]'"
Unlike the double-quoted and heredoc syntaxes, variables and escape sequences for special characters will not be expanded when they occur in single quoted strings.
Reference: https://www.php.net/manual/en/language.types.string.php
SQL Injection
"update ARTIST set Aname='$fileName' where artistName='$val2[artistName]'"
You need to be careful with how you get the value $val2[artistName] else it may lead to SQL Injection attack
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I'm doing a little ajax question-result system. When user types something into the textarea, the result is automatically searched and outputted.
Problem is that every time user types the question that contains "" or '' - the search is unsuccessful. Is there any way I can add backslash to "" or '' inside the string, so it'd be ignored?
Or is there any filter that ignores the "" or ''?
I need the question to be searched with quotes, because questions in database contains them.
Here's the code:
$q = $_POST['q'];
// for every " or ' in $q add \ before it
$results = array();
$result = array();
$count = 0;
$stmt = $dbh->prepare("SELECT result FROM quest WHERE quest LIKE '".$q."%'");
if($stmt->execute()){
$result = $stmt->fetchAll(PDO::FETCH_OBJ);
$count= $stmt->rowCount();
}
if($result != NULL){
foreach($result as $part){
foreach($part as $item){
$results[] = $item;
}
}
echo htmlentities($results[0], ENT_QUOTES, "UTF-8");
}
You are not using prepared statements correctly, and that's why you are having this issue. If you use prepared statements correctly, they solve this issue for you. The docs for this are actually pretty good.
http://php.net/manual/en/pdo.prepared-statements.php
EDIT: Please take the time to learn how to use them correctly. If not, your code is susceptible to SQL injection.
Try using addslashes() Function
This question already has an answer here:
debug mysqli query with or die mysqli_error
(1 answer)
Closed 8 years ago.
<?php include 'config.php';
$user_id = 1;
$postid = 9;
$content = "sdfsdfsdfsdf";
$date = '24';
$category_id = 4;
$result = $db->query("INSERT INTO post_items(`post_id`,`content`,`date`,`user_id`,`category_id`)
VALUES ('".$postid.", '".$content."', '".$date."', '".$user_id."', '".$category_id."')");
if($result) {
echo "hey";
}else{
echo $db->error;
}
?>
Please help, I've tried 3-4 hours but no luck.. I'm very sure all my column is correct, I'm so confused how to use sql syntax now, because I went to MySQL visual editor, it gave me different sql query for insert.
Missing the ' after $postId
VALUES ('".$postid.", '".$content."', '".$date."', '".$user
--------------------^
VALUES ('".$postid.", '".$con ...
^ ^^^
It appears that you have missed a single quote. It should be:
VALUES ('".$postid."', '".$con ...
^
add this
This is yet another good reason (beyond the already excellent one of avoiding SQL injection attacks) that you should prefer parameterised queries. They're much more readable hence easier to debug.
This question already has answers here:
What is the difference between single-quoted and double-quoted strings in PHP?
(7 answers)
Closed 10 years ago.
I'm was trying to get my function to work and after a while I slammed my keyboard down and then everything worked and I noticed that:
{
function get_people_fullname($db, $people_id) {
$query = 'SELECT
people_fullname
FROM
people
WHERE
people_id = '.$people_id;
$result = mysql_query($query, $db) or die(mysql_error($db));
$row = mysql_fetch_assoc($result);
return $row['people_fullname'];}
}
where there query goes
people_id = '.$people_id;
which works
I originally had
people_id = $people_id';
which doesn't work
I'm just lost and I think this is a simple thing someone more experienced can explain this to Me?
thanks
you need to use double quotes in order to get the value of the variable,
$query = "SELECT
people_fullname
FROM
people
WHERE
people_id = $people_id";
in php, let's say $a = 5,
echo 'a is $a'; // will result: a is $s
echo "a is $a"; // will result: a is 5
As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?
single quotes do not have variable substitution - double quotes is what you want if you want to replace $var with a value