ansaurus

Question

how escape quotes when inserting into database in PHP

Answer 1

+3 A:

it should work without the sprintf stuff

$title = mysql_real_escape_string($_POST[title]);
$body = mysql_real_escape_string($_POST[body]);

Tim 2010-04-07 12:06:47

Thank you, it works like a charm!

Mauro74 2010-04-07 12:18:19

@Mauro: Still you should not use this, but parameterized statements instead.

Tomalak 2010-04-07 12:24:30

@Tomalak not "should" but "recommended". Prepared statements are more fool-proof, yes, but still not a silver bullet.

Col. Shrapnel 2010-04-07 12:26:53

@Col. Shrapnel: I thought "should" and "recommended" was the same thing. I would have used some form of "have to" or "must" otherwise. *Sorry, I'm not into watering down language constructs purely for the sake of politeness.* ;)

Tomalak 2010-04-07 12:33:50

Whilst parameterised statements are definitely a better approach in general, unfortunately PHP's `mysqli_bind_param` implementation of them is a bit verbose, and has a disastrous interface trap for the unwary in that it binds by variable reference instead of value. This often makes it a more difficult sell than escaping. (PDO is a bit better on this front.)

bobince 2010-04-07 13:09:44

@bobince: Binding by reference should not be a problem as long as binding and execution are done in close succession. Apart from that it is bad style to re-use dedicated variables for something else anyway. ;) For my part, verbosity+security beats brevity. Code is more often read than written, so being verbose is actually a good thing.

Tomalak 2010-04-07 13:18:07

It's not a problem as long as you know about it. For a beginner (and, I'd wager, a majority of everyday PHP coders) who don't, it's a counter-intuitive and potentially annoying-to-debug trap. It also stops you binding a value like `'foo'.$bar`, which means more bogus temporary variables. I love parameterised queries, but `mysqli`'s interface is a shed. Python's DB-API shows how it should have be done concisely. (Although then you get the heartache of `paramstyle`, so you can't win I guess...)

bobince 2010-04-07 13:27:49

Answer 2

+1 A:

With any database query, especially inserts from a web based application, you should really be using parameters. See here for PHP help on how to use parameters in your queries: PHP parameters

This will help to prevent SQL injection attacks as well as prevent you from having to escape characters.

Tommy 2010-04-07 12:08:28

Thanks I'll have a look at that! :)

Mauro74 2010-04-07 12:19:03

Answer 3

+1 A:

Your code

$sql="INSERT INTO articles (title, body, date) VALUES ('$title','$body','$nowdate'),";

should be as follows

$sql="INSERT INTO articles (title, body, date) VALUES ('$title','$body','$nowdate')";

comma should not be there at the end of query

Salil 2010-04-07 12:11:30

yes I know about the comma was just a typo.

Mauro74 2010-04-07 12:13:01

Answer 4

+5 A:

Please start using prepared parameterized statements. They remove the need for any SQL escaping woes and close the SQL injection loophole that string-concatenated SQL statements leave open. Plus they are much more pleasing to work with and much faster when used in a loop.

$con  = new mysqli("localhost", "u", "p", "test");
if (mysqli_connect_errno()) die(mysqli_connect_error());

$sql  = "INSERT INTO articles (title, body, date) VALUES (?, ?, NOW())";
$stmt = $con->prepare($sql);
$ok   = $stmt->bind_param("ss", $_POST[title], $_POST[body]);

if ($ok && $stmt->execute())
  header('Location: index.php');
else
  die('Error: '.$con->error);

Tomalak 2010-04-07 12:16:22

ansaurus

tags:

views:

answers:

how escape quotes when inserting into database in PHP

related questions