views:

419

answers:

4

I have some text fields in the oracle table, which have double quotes. How to escape them in a select query, so that I can use it in PHP?

A: 

Have you tried: "\""

zipcodeman
+1  A: 

You should be able to do a

SELECT REPLACE(your_column, '"', '\"') AS your_escaped_column
FROM your_table;
Peter Lang
+1  A: 

Odds are, if you are trying to do this you are dealing with a SQL Injection vulnerability. Please Google this and think about what you're doing.

Adam Hawkes
A: 

Well... you'd select them out just like you would any other field. It's when you are putting things in to the database where you need to escape them.

That has different mechanisms depending on what database abstraction layer or driver you're using.

For drivers, I recommend PDO. That way, it doesn't matter which database you're using, escaping a field for input is always going to be something like this:

// Assuming that $dbh is a valid PDO object, like this one:
// $dbh = new PDO('oci:dbname=//hostname:1521/scott', 'scott', 'tiger');
// That's 'oci:dbname=//hostname:port-number/database', username, password

$sql = "SELECT * FROM myTable WHERE name = ':myName'";
$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':myName' => "Ed O'Neil"));
R. Bemrose