I'm trying to insert a file path into an empty MySQL table with PHP 5 but slashes and other characters are removed so I can not use to the string when calling it from the table. What function do I use to preserve the file path without losing characters?
$rawpath = "F:\Business\test.htm";
$url = "Business";
$query = "INSERT IGNORE INTO `sites` (`url`,`base`)".
"VALUES ('$rawpath','$url');";
echo $query;
Outputs: INSERT IGNORE INTO sites (url,base) VALUES ('F:\Business\test.htm','Business');
$query = "SELECT * FROM `sites` WHERE `base`='Business';";
$row = mysql_query($query);
$url = mysql_result($row,0,"url");
echo $url;
Outputs: F:Businesstest.htm
Your problem is with backslashes \, which are used often to escape certain characters. You need to escape this backslashes (with another backslash), to make them appear. So, if you use double quotes, write \\ instead of just \, or use addslashes($url).
I'm not quite sure that you need to escape them if you use just single quotes.
You need to escape your back slashes. Try this
$rawpath = "F:\\Business\\test.htm";
Hope this helps.
You can just do: quotemeta($rawpath) before the insert statement. All the backslashes will be correctly escaped after that.
Related
I am having trouble with SQL Management studio and I do not want to connect to this SQL server I want to make the data ready for my lines to be inserted in this database
I have a text file with the lines of strings that I want to insert in sql server the line is like this:
You're Doing It Wrong!!,Mike Walsh,Intermediate
So it should be like this to be ready for sql server.
You''re Doing It Wrong!!,Mike Walsh,Intermediate
I also have this in lines:
Never Have to Say "Mayday!!!" Again
Is this one going to become a problem? Should I have any plan for it also?
I tried to use addslash and then replace the slash with the a single quote by doing:
$str=",('".addslashes ($array[0])."')";
$str=str_replace("\\","\'",$str);
echo $str;
I did the comma and parenthesis for when I have insert to query in sql server
the result of this one will be:
,('You\''re Doing It Wrong!!'),
,('Never Have to Say \'"Mayday!!!\'" Again'),
What did I do wrong here?
You are approaching this problem in a wrong way: rather than preparing the string to be "pasted" into SQL Server's query, parameterize your SQL, and pass the string as a parameter. This way you wouldn't have to escape it at all, and the number of quotes or other special characters wouldn't matter either:
$sql = "INSERT INTO MyTable(id,name) VALUES (?,?)"
$params = array($someId, $name)
$sql_srv_query($db_conn, $sql, $params);
Using prepared statements is the best way. If you insist on a regex way, you can double single quotes with preg_replace so that there is an even number of consequent single quotes:
''|(')
And replace with ''. See demo
Sample PHP code:
$re = "/''|(')/";
$str = "You're Doing It Wrong!!,'''Mike Walsh'',Intermediate";
$subst = "''";
$result = preg_replace($re, $subst, $str);
Output:
You''re Doing It Wrong!!,''''Mike Walsh'',Intermediate
May be try this
$str = "You're Doing \"It Wrong!!,Mike Walsh,Intermediate";
$st = addslashes($str);
First of all you can replace " with \", then make addslashes
Using simple function:
mysqli_query($link, 'update table set field = \'variable text with \" slash\' ');
$res = mysqli_query($link, 'select field from table');
$res = mysqli_fetch_array($res);
when printing the result I have string without slash like: 'variable text with " slash'.
When I preview the table in my localhost mysql client (SequelPro) I see that there are no slash also.
Is it normal that mysql is removing this slash on insert automaticaly? Is it a way to prevent this? I need this slash there. Also I cannot use addslashes later after getting the value from db.
Magic quotes are disabled on my php server.
The slashes you are adding are used to escape the quotes in the php string. You should add 3 slashes \\\" so that the first two make a backslash and the third one escapes the quote.
This is because PHP is escaping the ". You need to escape the backslash too, like this:
mysqli_query($link, 'update table set field = \'variable text with \\\" slash\' ');
Or you could use addslashes().
$query = addslashes('update table set field = \'variable text with \" slash\' ')
mysqli_query($link, $query);
I assume you want to keep the second backslash, as the first and third are needed to escape the single quotes. To keep the backslash, simply escape the backslash:
mysqli_query($link, 'update table set field = \'variable text with \\" slash\' ');
You don't need to escape the double quote because this string is enclosed by single quotes.
you have to use double slach \\
try that:
mysqli_query($link, "update table set field = 'variable text with \\" slash' ");
In PHP, I am escaping characters before insert in a MySQL database using mysql_real_escape_string
$array_to_insert = array_map('mysql_real_escape_string', $my_arr);
$mysql->setTbl("mytable");
$id = $mysql->insertArray($array_to_insert);
When saving, double quotes are being saved as escaped with a \. I do not want this, since some of the data is HTML and it may contain tags like <a href="www.stackoverflow.com"> etc, which will be saved as <a href=\"www.stackoverflow.com\"> and then displayed incorrectly in a WordPress setup.
I have read elsewhere on stackoverflow that to avoid escaping the double quotes, one must first insert (as above) then select and insert into a table again.
Is there a way to solve this issue without having to select and re-insert?
Thanks
(note: the database I am using is in utf-8 format)
Your server may have magic_quotes enabled. Check it with
var_dump( get_magic_quotes_gpc() );
Otherwise, it's probably something you are doing beforehand or that your db library is doing. mysql_real_escape_string only escapes the string so that it is safe to use in a SQL query. It can't help if the string is already escaped to begin with.
You could always strip slashes on the way out using http://php.net/manual/en/function.stripslashes.php
for instance:
$sql = "SELECT * FROM table_name";
$result = mysql_query($sql) or mysql_error();
while ($output = mysql_fetch_assoc($result)) {
echo stripslashes($output['column_name']);
}
alternatively, just remove all escaped double quotes:
echo str_replace('\"', '"', $output['column_name']);
I have an insert function where I use MySQL real_escape_string() to remove illegal characters only its not actually removing those characters, can anybody see where I'm going wrong?
$interest = mysql_real_escape_string(urldecode($_GET['interest']));
$query = "INSERT INTO user_interests (user_id, interest) VALUES('{$user_id}' , '{$interest}')";
mysql_query($query) or die(mysql_error());
echo $interest;
There are no "illegal characters". mysql_real_escape_string just encodes all characters so that they can be safely put into a query. If you want to remove a character c, use str_replace:
$input = urldecode($_GET['interest']);
$input = str_replace('c', '', $input);
$interest = mysql_real_escape_string($input);
mysql_real_escape_string just escapes characters in your string that might cause problems when you try to write them to your database. This does not mean that it removes them.
Imagine you are taking user input and a user puts a quote into the input field. When you try to insert that string to your database, the quote will be interpreted as a quote in the sql query and the query won't work right.
INSERT INTO table (string)
VALUES ("this is a string with an extra " in it")
If you use mysql_real_escape_string on this string first, then your sql query will essentially look like this:
INSERT INTO table (string)
VALUES ("this is a string with an extra \" in it")
See the escape backslash above. You can see this extra quote even messes up the formatting here on SO.
$url = "What's up with "You doing this"";
$q = sprintf ("update user set url='%s'",$url);
pg_query ($db_conn, $q)
I want to insert everything into the database exactly as the user wants. I don't want to escape anything. The above would fail for me because of the quotes. I know single quotes have to go around the postgresql string (url='%s'). Since there are double quotes in my url string the query will not update because of it. I'm sure I could do a string replace for all double quotes and make them single quotes but what if the user really wants double quotes. And I cannot use string replace to put a backslash because according to the postgresql docs the slash will be deprecated soon (http://www.postgresql.org/docs/8.1/interactive/sql-syntax.html) plus that goes against inserting only what the user inputted.
What do people suggest I do?
Use pg_escape_string to escape quote characters in your string.
Use parametrized queries:
pg_query_params
(
$db_conn,
"UPDATE user SET url = $1",
array('What's up with "You doing this"')
);
escape your double quotes in the text like this
$url = "What\'s up with \"You doing this\"";