I am trying to insert a mysql query itself into a table field(Executing a series of queries when certain conditions met), but whenever there is any special characters in query, it is converted in to its corresponding entities.
For example, if Iam inserting this query to table, the quote will become " '" , > to > and space to &# . Is there any way to insert the query as it is and display in correct form .
"select
case item_id
when 206 then '1 Column'
when 255 then '2 Columns'
end as split,
# case oi.product_id
# when 24 then 'XXXX'
# when 28 then 'CCCC'
# when 30 then 'EEEE'
# else 'Something Else'
# end as product,
case oi.price_id
when 72 then 'UYT - Single Pay'
when 73 then 'UYT - Single Pay'
when 74 then 'UYT - Single Pay'
else 'Upsell'
end as product,
count(distinct(al.cust_id)) as the_count
from logtable al
where item_id in (206,255) and
activity_dts > '2012-01-31 19:15:00' and
o.order_is_refunded = 0 and
t.response_code = 1 and
t.response_reasontext not like '%testmode%'
group by 1,2;"
Please give me suggestions or Am I missing any thing here. The charset used by my CI installation is UTF-8.
There shouldn't be any problem with inserting your string, as it IS a string, and the database library doesn't make any character encoding by itself, afaik. What encoding are the database and the tables? (the connection should be UTF-8, as per default settings)
Since you're using the framework, you can use its methods (and not mysql_real_escape_string() or, god, addslashes()!! like suggested in other answers).This should work:
$string_query = "select
case item_id
when 206 then '1 Column'
when 255 then '2 Columns'....";
$sql = "INSERT INTO table(column) VALUES (?)";
$this->db->query($sql, array($string_query));
The query bindings automatically escapes FOR SQL, so for that you're safe (you could have used ActiveRecord with the same result). I don't know what couldn't be working in this, surely NO FUNCTIONS encodes html.
Maybe you're doing the encoding somewhere else: are you sure you're not calling xss_clean(), htmlspecialchars()/htmlentities(), or you have XSS protection enabled, or you pass TRUE as second paramenter of $this->input-> ?
If all the above for some reason - for wich you didn't provide enought information - fails, you can alwasy encode everything:
$string_query = base64_encode("select.....");
// HERE YOU MAKE THE INSERT QUERY
and when you retrieve it, you base64_decode() the string. But the ideal solution is not this, it should work without flaws anyway.
PHP addshlashes
This function will help you add the query along with its quotes as it is, in your db.
Also you can do this way,
If your queries just have multiple single quotes only, then border it by double quotes:
like $tmp = "See single' quotes";
or vice-versa like:
$tmp = 'See double " quotes';
Try following
$data_insert = mysql_real_escape_string($values);
Also you can find it in detail http://php.net/manual/en/function.mysql-real-escape-string.php
Related
I have text correctly saved into a mariahDB 10.2 database. The text, to complicate matters, is in fact a combination of Regular Expressions and a hybrid code invented by someone else.It can be used unchanged in another application as a text file - not PHP. But it just text at the end of the day. I want to grab data from this table, change it a small amount, and save it in a new table.
The problem is less so about changing the original data much, but more about SELECTING and saving data that is full of backslashes, single quotes, and double quotes to a new table without it being changed when it is saved. Is there a simple way in PHP and MySQL to take text from a table and resave it exactly as it is so the second table is not different from the the first?
For example the first table has the following in it.
add list to list(%section,$plugin function("XpathPlugin.dll", "$Generic Xpath Parser", $document text, "//p[1]/a[#class=\'result-title hdrlnk\' and 1]", "outerhtml", "False"),"Don\'t Delete","Global")
But if I put this into a variable and then INSERT or UPDATE that to another table, MySQL seems to strip out the backslashes, or add backslashes and throw errors for incorrectly formatted SQL.
For instance Don\'t Delete becomes Don't Delete and in other examples \\ become \
In another case ?=\")" loses the a backslash and becomes ?=")"
I have tried dozens of combinations of PHP function to leave the text alone, such as addslashes(), htmlentities(), preg_replace(), various string substitution and nothing get the data back into the table the same way as it came out.
Does anyone have the trick to do this? I would call the function leave_my_text_alone(); !!
EDIT
To add a few things that did not do the trick to get a variable I could update into the database I tried
$omnibotScript = addcslashes($omnibotScript,"'");
I then found I need to do this twice to consider the backslash being removed from before the apostrophe in Don't Delete....or it would throw a MySQL parsing error..Doing it again fixed that. So then I had to put two backslashes back to have one removed. I then added this to consider a double backslash being reduced to single backslash.
$pattern = '/\\\\"/';
$replacement = '\\\\\\\"';
$omnibotScript = preg_replace($pattern, $replacement, $omnibotScript);
But the list went on.
Use prepared statements.
If you use a prepared statement, MySQL will take care of all the escaping you need to get the string back into the table exactly as it came out of it. For example, using MySQLi:
$query = "SELECT s1 FROM t1";
if (!$result = $con->query($query)) {
exit($con->error);
}
$row = $result->fetch_assoc();
$value = $row['s1'];
$query = "INSERT INTO t2(s1) VALUES (?)";
$stmt = $con->prepare($query);
$stmt->bind_param('s', $value);
$stmt->execute();
The value of s1 in t2 will be exactly the same as the value in t1.
I'm trying to update a table called RAC_PV at my oracle database but the query is returning that error when i run my application. I thing everyting is right because i run the same query on sqldeveloper (but with manual values) and when i change the variable $preco_medio to a number like 1, it works on the application. Here's my code:
$preco_medio = number_format(($v_interna_real / $encargo + $vipe_real) / $v_interna_t + $vipe_t , 2, ",", ".") ;
sc_exec_sql("update RAC_PV set PRECO_MEDIO = $preco_medio where rac_anopv = {ano} and rac_mespv = {mes} and codempresa = $id_empresa and codpainel = 6 and cod_prod1 = '$id_produto'");
My table name and the column names are right and checked, my variables like {ano}, {mes}, $id_produto and $preco_medio are all corretly seted. This sc_exec_sql("query here") works fine. Maybe the problem is in the $preco_medio ? I've never used that number_format but when a echo this the number shows right for me like 3,123.03 .
Can anyone help me?
3,123.03
That's not a number literal, that's two numbers, 3 and 123.03, one of which is apparently interpreted as column name. Remove the grouping , in the number literal expression or use TO_NUMBER() and a string literal with the formatted number representation.
The best way however would be not to build queries by string concatenation but parametrized queries. String concatenation is prone to SQL Injection. Also parametrized queries find the right representation for the DBMS (usually and mostly) automatically, avoiding such problems you have here.
In my application, i send a big text as a post parameter to the server. The text is like the code below:
{"objects":[{"type":"path","originX":"center","originY":"center","left":138,"top":250.25,"width":184,"hei
ght":254,"fill":null,"overlayFill":null,"stroke":{"source":"function
anonymous() {\n\n var squareWidth = 10, squareDistance =
2;\n\n var patternCanvas =
fabric.document.createElement('canvas');\n
patternCanvas.width = patternCanvas.height = squareWidth +
squareDistance;\n var ctx =
patternCanvas.getContext('2d');\n\n ctx.fillStyle =
\"#005E7A\";\n ctx.fillRect(0, 0, squareWidth,
squareWidth);\n\n return patternCanvas;\n
\n}","repeat":"repeat","offsetX":0,"offsetY":0},"strokeWidth":15,"strokeDashArray":null,"strokeLineCap":"round","strokeLineJoin":"round","strokeMiterLimit":10,"scaleX":1,"scaleY":1,"angle":0,"flipX":false,"flipY":false,"opacity":1,"selectable":true,"hasControls":true,"hasBorders":true,"hasRotatingPoint":true,"transparentCorners":true,"perPixelTargetFind":false,"shadow":null,"visible":true,"clipTo":null,"path":[["M",69.5,0],["Q",69.5,0,70,0],["Q",70.5,0,70.75,0],["Q",71,0,71.5,....
As you there are carriage returns in it. An i want to insert this text into mysql table as a blob. But it's not successfull. I think the reason is carriage returns in it because other examples without carriage returns work well.
How can i succeed to insert this kind of a text to my table?
By the way, i'm using codeigniter cart class with db session and try to keep this text as cart item option.
You have to understand how escaping works. If you put something escaped in a string like this:
s = "Hello\nthere";
...then the result will contain a REAL linefeed. The variable itself will look like "Hello" plus linefeed plus "there". Now if you hand this over to some sql, it will get the linefeed, not the backslash plus n, which would be the proper version of telling sql to insert a linefeed. No, instead you created an sql string with a real newline inside the quotes.
So you'll have to say "let's make a string that tells sql to insert a newline", and to do this, you have to tell the language (whichever you use) to make a string that makes a string that makes a linefeed. THIS IS WHY you'll have to escape what's already escaped. It's kinda "tell Bob to tell Claire to come here" thing.
So I've seen the "how can I escape it in PHP" question twice from the OP, so here's how to escape in PHP using codeigniter:
First queries with CodeIgniter
You need to use query bindings to help ensure everything is cleaned up before it's run.
assume the following:
$sql = 'SELECT * FROM my_table WHERE first_name=? AND city=?';
Note the two question marks. These are placeholders for our input values.
When I do the following
$this->db->query($sql,array('Mike','Asheville'));
There is a 1-1 mapping for each value in the array to each ?, so the first ? will be replaced by Mike, and the second ? will be replaced by Ashevile. Both values will be escaped appropriately.
i am using mysqlclient,
in one of my query, as shown below
sprintf (query, "select user from pcloud_session where id = '%s'", sid);
here some time this sid is with % sign in it like the example
2Cq%yo4i-ZrizGGQGQ71eJQ0
but when there is this % this query always fail, i think i have to escape this %, but how ?
i tried with \ and %% , but both of this not working, please help me here
UPDATE:
When using session.hash_bits_per_character = 6, in php session ,the default charset contains a character (comma) that will always be urlencoded(here it is %2C). This results in cookie values having this %2C in it, but session db having a comma instead of it. any idea about fixing this problem ?.. sorry for the confusion
Thanks
There's no need to escape a literal '%' in MySQL query text.
When you say the query "always fail", is it the call to the mysql_query function that is returning an error? Does it return a SQL Exception code, or is it just not returning the resultset (row) you expect?
For debugging, I suggest you echo out the contents of the query string, after the call to sprintf. We'd expect the contents of the string to be:
select user from pcloud_session where id = '2Cq%yo4i-ZrizGGQGQ71eJQ0'
And I don't see anything wrong with that SQL construct (assuming the id column exists in pcloud_session and is of character datatype. Even if id was defined as an integer type, that statement wouldn't normally throw an exception, the string literal would just be interpreted as integer value of 2.)
There should be no problem including a '%' literal into the target format of an sprintf. And there should be no problem including a '%' literal within MySQL query text.
(I'm assuming, of course, that sid is populated by a call to mysql_real_escape_string function.)
Again, I suggest you echo out the contents of query, following the call to sprintf. I also suggest you ensure that no other code is mucking with the contents of that string, and that is the actual string being passed as an argument to mysql_query function. (If you are using the mysql_real_query function, then make sure you are passing the correct length.)
UPDATE
Oxi said: "It does not return a SQL Exception code, it just does not return the result[set] I expect. I did print the query, it prints with % in it."
#Oxi
Here's a whole bunch of questions that might help you track down the problem.
Have you run a test of that query text from the mysql command line client, and does that return the row(s) you expect?
Is that id column defined as VARCHAR (or CHAR) with a length of (at least) 24 characters? Is the collation on the column set as case insensitive, or is it case sensitive?
show create table pcloud_session ;
(I don't see any characters in there that would cause a problem with characterset translation, although that could be a source of a problem, if your application is not matching the database charactarset encoding.)
Have you tested queries using a LIKE predicate against that id column?
SELECT id, user FROM pcloud_session WHERE id LIKE '2Cq\%yo4i-%' ESCAPE '\\'
ORDER BY id LIMIT 10 ;
SELECT id, user FROM pcloud_session WHERE id LIKE '2Cq%'
ORDER BY id LIMIT 10 ;
Are you getting no rows returned when you expect one row? Are you getting too many rows returned, or are you getting a different row than the one you expect?
That is an oddball value for an id column. At first, it looks almost as if the value is represented in a base-64 encoding, but it's not any standard encoding, since it includes the '%' and the '-' characters.
If you're going to do this in C without an interface library, you must use mysql_real_escape_string to do proper SQL escaping.
There shouldn't be anything intrinsically wrong with using '%inside of a string, though, as the only context in which it has meaning is either directly inprintftype functions or as an argument toLIKE` inside of MySQL.
This proves to be really annoying, but it's absolutely necessary. It's going to make your code a lot more complicated which is why using low-level MySQL in C is usually a bad idea. The C++ wrapper will give you a lot more support.
You really shouldn't escape the string yourself. The safest option is to let the MySQL API handle it for you.
For a string of maximum length n, start by allocating a string of length 2*n+1:
int sidLength = strlen(sid);
// worst-case, we need to escape every character, plus a byte for the ASCIIZ
int maxSafeSidLength = sidLength * 2 + 1;
char *safeSid = malloc(maxSafeSidLength);
// copy "sid" to "safeSid", escaping as appropriate
mysql_real_escape_string(mysql, safeSid, sid, sidLength);
// build the query
// ...
free(safeSid);
There's a longer example at the mysql_real_escape_string page on dev.mysql.com, in which they build the entire query string, but the above approach should work for supplying safeSid to sprintf.
In one of my forms I use the rich text editor from Yahoo!.
Now i want to store the data from that textarea in a MySQL database.
The user can enter anything in that textarea, e.g. many double or single quotes.
How can I store that data?
Normally we store by adding that data in one variable and then put that in sql, but the quotes cause problems.
You use a PDO prepared statement (or mysql_real_escape_string)
You can use mysql_real_escape_string().
Escapes special characters in the
unescaped_string, taking into account
the current character set of the
connection so that it is safe to place
it in a mysql_query(). If binary data
is to be inserted, this function must
be used.
mysql_real_escape_string() calls
MySQL's library function
mysql_real_escape_string, which
prepends backslashes to the following
characters: \x00, \n, \r, \, ', " and
\x1a.
This function must always (with few
exceptions) be used to make data safe
before sending a query to MySQL.
e.g.
$value = mysql_real_escape_string(" ' \" etc ");
$sql = "INSERT INTO blah VALUES ('$value')";
But a better solution is to use PDO and prepared statements.
If PDO isnt an option you might be able to use mysqli instead of course with a prepared statement.
This is how my data as API response looks like, which I want to store in the MYSQL database. It contains Quotes, HTML Code , etc.
Example:-
{
rewardName: "Cabela's eGiftCard $25.00",
shortDescription: '<p>adidas gift cards can be redeemed in over 150 adidas Sport Performance, adidas Originals, or adidas Outlet stores in the US, as well as online at adidas.com.</p>
terms: '<p>adidas Gift Cards may be redeemed for merchandise on adidas.com and in adidas Sport Performance, adidas Originals, and adidas Outlet stores in the United States.'
}
SOLUTION
CREATE TABLE `brand` (
`reward_name` varchar(2048),
`short_description` varchar(2048),
`terms` varchar(2048),
) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=latin1;
While inserting , In followed JSON.stringify()
let brandDetails= {
rewardName: JSON.stringify(obj.rewardName),
shortDescription: JSON.stringify(obj.shortDescription),
term: JSON.stringify(obj.term),
}
Above is the JSON object and below is the SQL Query that insert data into MySQL.
let query = `INSERT INTO brand (reward_name, short_description, terms)
VALUES (${brandDetails.rewardName},
(${brandDetails.shortDescription}, ${brandDetails.terms})`;
Its worked....
Better yet! When submitting the content to the database, use addslashes();
When retrieving and displaying the string use stripslashes();
$string = "That's awesome!";
addslashes($string);
will come out as That\'s Awesome in the database (and won't break anything)
Then stripslashes($string);
will return it to normal.
http://php.net/manual/en/function.addslashes.php
I use this all the time - simple and straight-forward.
Thanks you guys,
for your replay.
But i had only replace the quotes characters...by this..
html = html.replace(/\'/g, "'"); // 39 is ascii of single quotes
html = html.replace(/\"/g, """); // 39 is ascii of double quotes
and then stored in the database.
its working great..by this way...
and when i want that data then i just replace to its orginal.
But thanks for your replay..
Nitish.
Panchjanya Corporation