$url = "What's up with "You doing this"";
$q = sprintf ("update user set url='%s'",$url);
pg_query ($db_conn, $q)
I want to insert everything into the database exactly as the user wants. I don't want to escape anything. The above would fail for me because of the quotes. I know single quotes have to go around the postgresql string (url='%s'). Since there are double quotes in my url string the query will not update because of it. I'm sure I could do a string replace for all double quotes and make them single quotes but what if the user really wants double quotes. And I cannot use string replace to put a backslash because according to the postgresql docs the slash will be deprecated soon (http://www.postgresql.org/docs/8.1/interactive/sql-syntax.html) plus that goes against inserting only what the user inputted.
What do people suggest I do?
Use pg_escape_string to escape quote characters in your string.
Use parametrized queries:
pg_query_params
(
$db_conn,
"UPDATE user SET url = $1",
array('What's up with "You doing this"')
);
escape your double quotes in the text like this
$url = "What\'s up with \"You doing this\"";
Related
I have a textbox where i can type double quoted words like: hello i am "steve" and i can successfully insert the string into my database after mysqli_real_escape_string
<textarea name="description"></textarea>
php below:
$text_data = $_POST['description']; // hello my name is "steve"
$final_text = mysqli_real_escape_string($this->conn,$text_data);
// the above without removing double quotes can be inserted into the db
but if it is single quotes and I convert to double quotes then it cannot be inserted.
$text_data = $_POST['description']; // hello my name is 'steve'
$final_text = str_replace("'",'"',$text_data);
$final_text = mysqli_real_escape_string($this->conn,$text_data);
so my questions are:
how come it works with double quotes? doesn't it needs to be removed or replaced with "/ something?
if the first case: double quotes work fine, then how come the second case when converted from single to double quotes cannot be inserted into the db?
Thanks a lot in advance
MySQL treats single quote as a string END. In order to INSERT string with single quotes you have to ESCAPE it as \'Hello World\'
This should work seamlessly
$text_data = "hello my name is \'steve\'";
A couple things..
First I would do some reading on the differences between the single quote and the double quote's behaviors. Just so going forward you have a basis for the differences between the two.
Secondly lets look at the logic of your code:
If I replace the single quotes in your code like your code suggest your statement will look like this:
"hello my name is "steve""
No lets look closly at what happens between " and steve.
"hello my name is " steve ""
The reason your query is failing, I believe is because steve is not quoted anymore.
Using prepared statement is really your best solution to the problem.
Hope that helps
UPDATED:
$text_data = "hello my name is 'steve'";
$final_text = str_replace("'",'\"',$text_data);
I would like to store the following string in the field of an SQLite table:
$string = "Einstein's equation";
Is there a function to do so in a safe way? Obviously
SQLite3::escapeString($string);
does not work. Instead it will return Einstein"s equation.
I read that in SQL one is supposed to use double single quotes for single quotes, i.e., Einstein''s equation. However, if I try to make it safe SQLite3::escapeString("Einstein''s equation") returns Einstein""s equation. Is that a bug of escapeString?
What would be the correct way to escape a string with single quotes properly?
Using simple function:
mysqli_query($link, 'update table set field = \'variable text with \" slash\' ');
$res = mysqli_query($link, 'select field from table');
$res = mysqli_fetch_array($res);
when printing the result I have string without slash like: 'variable text with " slash'.
When I preview the table in my localhost mysql client (SequelPro) I see that there are no slash also.
Is it normal that mysql is removing this slash on insert automaticaly? Is it a way to prevent this? I need this slash there. Also I cannot use addslashes later after getting the value from db.
Magic quotes are disabled on my php server.
The slashes you are adding are used to escape the quotes in the php string. You should add 3 slashes \\\" so that the first two make a backslash and the third one escapes the quote.
This is because PHP is escaping the ". You need to escape the backslash too, like this:
mysqli_query($link, 'update table set field = \'variable text with \\\" slash\' ');
Or you could use addslashes().
$query = addslashes('update table set field = \'variable text with \" slash\' ')
mysqli_query($link, $query);
I assume you want to keep the second backslash, as the first and third are needed to escape the single quotes. To keep the backslash, simply escape the backslash:
mysqli_query($link, 'update table set field = \'variable text with \\" slash\' ');
You don't need to escape the double quote because this string is enclosed by single quotes.
you have to use double slach \\
try that:
mysqli_query($link, "update table set field = 'variable text with \\" slash' ");
MySql Code
SELECT replace(replace(v.image_path,"\\","/"),"%s","_120") as image_path
FROM `artistkr_fox`.`phpfox_video` v;
My phpfox service file query string
$aVideos = $this->database()->select("REPLACE(REPLACE(v.image_path,'\','/'),'%s','_120') as image_path" . Phpfox::getUserField())
->from($this->_sTable, 'v')
->execute('getSlaveRows');
This query can't return any value
error throw in this code "REPLACE(v.image_path,'\','/')"
You need to make sure you are not mixing the quotes of the PHP string and your SQL query.
You can do this by either by escaping them using backslashes in front of your quote (\')
$query = 'SELECT replace(replace(v.image_path,"\\","/"),\'%s\',\'_120\') as image_path FROM artistkr_fox.phpfox_video v';
or by using double quotes (") for the PHP string and single quotes (') for your SQL query:
$query = "SELECT replace(replace(v.image_path,'\\\\','/'),'%s','_120') as image_path FROM artistkr_fox.phpfox_video v";
(Note when using double quotes for the PHP string, you need to escape the backslashes in y our SQL query)
Which one you choose depends on your preference and the situation (e.g. complexity of the query).
I have a string:
$departmentList = "value:'16:NAR,JR'S OFFICE;17:MFR'S OFFICE;18:NAR/MFR JOINT OFFICE'"
My problem is, the single quotes you can see in JR'S OFFICE and MFR's OFFICE are prematurely ending my string. I could switch my double quotes with single quotes and vice versa, but these are coming from user-entered values. If the user had entered a double quote, I would be in the same boat as I am now.
Any ideas on how to keep the integrity of this string while having single and double quotes throughout?
By the way, not sure if this matters for anything but - I'm putting my $departmentList string into a jQGrid to build the values for a select box.
Use addslashes to replace " with \" and ' with \'.
If you are using the input for database purpose better use mysql_real_escape_string()
$departmentList = "value:'16:NAR,JR'S OFFICE;17:MFR'S OFFICE;18:NAR/MFR JOINT OFFICE'";
$data = mysql_real_escape_string($departmentList);