I've been using implode function of php and suddenly I encounter a problem regarding it.
<?php
$insertValues[] = "(default,'{$y}', '{$p}', '{$o}', '{$i}', '{$u}','AMM-40','test')";
$query_status = "INSERT INTO `mobile1_mn1`.`logs_inbound` (
`log_id`, `originator`, `sender`, `date`, `time`,
`message`, `company_id`, `keyword`)
VALUES". implode(',',$insertValues);
?>
When the information on $y,$p,$o,$i and $u does not have any single 'quotations' and commas it can save my information on database but when I have a string say for example the string is "he's good" and "Im, good" having a comma and quote it can't save my information anymore...
You have to properly escape the string, use mysql_real_escape_string
The mysql_real_escape_string() function escapes special characters in a string for use in an SQL statement
The following characters are affected:
\x00
\n
\r
\
'
"
\x1a
This function returns the escaped string on success, or FALSE on failure.
use mysql_real_escape_string()
You have to escape SQL strings.
You can use mysql_real_escape_string for this.
You have to put data/values that are STRINGS in quotes, so only imploding won't work here.
Related
$data = "INSERT into detail(id,event) VALUES (1,"quest '15")";
Im having trouble with the single quote '15.i tried to use \'15 but doesnt seem to work.
try this:
$data = "INSERT into detail(id,event) VALUES (1,\"quest '15'\")";
Try this:
$data = "INSERT into detail(id,event) VALUES (1,'quest \'15')";
The problem isn't the single quote; the problem is the use of double quotes within a string literal that is enclosed in double quotes. Your double quoted string literal is actually being ended right before quest.
One alternative is to use single quotes for string literals within SQL text. Within a string literal, you'll need to "escape" the single quote, and one way to do that is by preceding a single quote by another single quote.
For example:
$data = "INSERT into detail(id,event) VALUES (1,'quest ''15')";
^ ^^ ^
If you do that, the value for the event column will be seen as quest '15
I strongly suggest using prepared statements, but in lieu of that, you can use mysqli_real_escape_string.
$data "INSERT INTO detail (id, event) VALUES (1, '".mysqli_real_escape_string("quest '15")."')";
In PHP, I am escaping characters before insert in a MySQL database using mysql_real_escape_string
$array_to_insert = array_map('mysql_real_escape_string', $my_arr);
$mysql->setTbl("mytable");
$id = $mysql->insertArray($array_to_insert);
When saving, double quotes are being saved as escaped with a \. I do not want this, since some of the data is HTML and it may contain tags like <a href="www.stackoverflow.com"> etc, which will be saved as <a href=\"www.stackoverflow.com\"> and then displayed incorrectly in a WordPress setup.
I have read elsewhere on stackoverflow that to avoid escaping the double quotes, one must first insert (as above) then select and insert into a table again.
Is there a way to solve this issue without having to select and re-insert?
Thanks
(note: the database I am using is in utf-8 format)
Your server may have magic_quotes enabled. Check it with
var_dump( get_magic_quotes_gpc() );
Otherwise, it's probably something you are doing beforehand or that your db library is doing. mysql_real_escape_string only escapes the string so that it is safe to use in a SQL query. It can't help if the string is already escaped to begin with.
You could always strip slashes on the way out using http://php.net/manual/en/function.stripslashes.php
for instance:
$sql = "SELECT * FROM table_name";
$result = mysql_query($sql) or mysql_error();
while ($output = mysql_fetch_assoc($result)) {
echo stripslashes($output['column_name']);
}
alternatively, just remove all escaped double quotes:
echo str_replace('\"', '"', $output['column_name']);
I have an insert function where I use MySQL real_escape_string() to remove illegal characters only its not actually removing those characters, can anybody see where I'm going wrong?
$interest = mysql_real_escape_string(urldecode($_GET['interest']));
$query = "INSERT INTO user_interests (user_id, interest) VALUES('{$user_id}' , '{$interest}')";
mysql_query($query) or die(mysql_error());
echo $interest;
There are no "illegal characters". mysql_real_escape_string just encodes all characters so that they can be safely put into a query. If you want to remove a character c, use str_replace:
$input = urldecode($_GET['interest']);
$input = str_replace('c', '', $input);
$interest = mysql_real_escape_string($input);
mysql_real_escape_string just escapes characters in your string that might cause problems when you try to write them to your database. This does not mean that it removes them.
Imagine you are taking user input and a user puts a quote into the input field. When you try to insert that string to your database, the quote will be interpreted as a quote in the sql query and the query won't work right.
INSERT INTO table (string)
VALUES ("this is a string with an extra " in it")
If you use mysql_real_escape_string on this string first, then your sql query will essentially look like this:
INSERT INTO table (string)
VALUES ("this is a string with an extra \" in it")
See the escape backslash above. You can see this extra quote even messes up the formatting here on SO.
$url = "What's up with "You doing this"";
$q = sprintf ("update user set url='%s'",$url);
pg_query ($db_conn, $q)
I want to insert everything into the database exactly as the user wants. I don't want to escape anything. The above would fail for me because of the quotes. I know single quotes have to go around the postgresql string (url='%s'). Since there are double quotes in my url string the query will not update because of it. I'm sure I could do a string replace for all double quotes and make them single quotes but what if the user really wants double quotes. And I cannot use string replace to put a backslash because according to the postgresql docs the slash will be deprecated soon (http://www.postgresql.org/docs/8.1/interactive/sql-syntax.html) plus that goes against inserting only what the user inputted.
What do people suggest I do?
Use pg_escape_string to escape quote characters in your string.
Use parametrized queries:
pg_query_params
(
$db_conn,
"UPDATE user SET url = $1",
array('What's up with "You doing this"')
);
escape your double quotes in the text like this
$url = "What\'s up with \"You doing this\"";
Forgive me, I'm a beginner. The following code returns a parse error:
$query = "INSERT INTO scenario_needgames VALUES ("$id", "Battle of the Bulge")";
the query builder in phpMyAdmin gave me this slightly modified string that works:
$query = "INSERT INTO scenario_needgames VALUES (\"$id\" , \"Battle of the Bulge\");";
but I'm confused as to why the quotes need to be escaped when they're actually part of the query syntax, and not - say - part of a title or string? The introductory book I'm learning from doesn't include those for such simple strings.
The $id value is 7 digits, 4 letters and then 3 numbers if you're curious.
Thank you.
Double quotes need to be escaped within a double quoted string, alternatively you can use a single quoted string and not have to escape the double quotes, but then you cannot directly interpolate variables, you have to use concatenation instead:
$query = 'INSERT INTO scenario_needgames VALUES ("' . $id . '", "Battle of the Bulge")';
Alternatively, just replace your inner double-quotes with single-quotes:
$query = "INSERT INTO scenario_needgames VALUES ('$id', 'Battle of the Bulge')";
I would suggest using mysql_real_escape_string to correctly and safely quote strings. You might also like to have a look at using prepared statements instead with PDO or mysqli.
They are escaping because of PHP, not MySQL. You must escape " characters in "-" string because " character can be interpreted as the end of the string.
Look at the code coloring in your answer. The first string is colored wrongly: the parts in " and " are colored like code, not string
It's PHP which return a parse error.
From the point of view of PHP, a string is a sequence of characters delimited by quotes. One at the beginning and one at the end.
When you want to put quotes inside the string, you need to escape them, so PHP knows the internal quotes are not the end of the string.
Unless you escape them, PHP will return a parse error because the thing you're assigning to $query is not a valid string (with a quote at each end, only)