views:

47

answers:

4

How should I go about adding slashes to only single quotes and ignoring double quotes? I am using php. I would only like to escape single quotes to prevent my php mysql queries from breaking.

Thank you!

Edit: I am thinking a regular expression search and replace will be the most helpful.

+3  A: 

Use mysql_real_escape_string. It escapes just the required characters while regarding the character encoding of your MySQL connection.

Gumbo
mysql_real_escape_string($variable); still escapes double quotes.
atwellpub
MySQL will correctly insert the " instead of the \" into the row. when you SELECT it, it will show up as " and not \".
AlReece45
After running mysql_real_escape_string($variable); and then placing the variable into a query; I checked in my phpmyadmin and both single and double quotes are escaped in the entry.
atwellpub
@atwellpub: And that is correct behavior since double quotes can be used to declare strings in MySQL. Image you have a query like `'SELECT * FROM table WHERE row="'.$value.'"'`. If possible double quotes in `$value` are not escaped, you could end up with an invalid string declaration, or – since you want to prevent SQL injections – a way to inject control data into your SQL queries.
Gumbo
@atwellpub: Maybe you’re having Magic Quote enabled; if so disable it.
Gumbo
But my question was how do I go about only escaping single quotes and not double. I think this is a job for a regular expression unless there is a function that allows you to select which type of quote to escape.
atwellpub
@atwellpub: There is no difference whether you encode double quotes inside a single quoted string declaration or not: `SELECT '"' = '\"'` yields `1`.
Gumbo
My question still stands though.
atwellpub
+1  A: 

If you use query parameters for dynamic values, you don't need to do any escaping at all.

You can use query parameters in the mysqli extension or the PDO extension (I prefer PDO). The old mysql extension doesn't support query parameters.

Bill Karwin
+1  A: 

Well, preg_replace_all("/([^\])'/","$1\'",$yourStrHere) will do what you're asking:

  • "/([^\])'/" yields the regex /([^\])'/, which says "match on any single character that's not a backslash followed by a single quote, and capture the character before the quote."
  • "$1\'" says "replace with the captured character followed by a backslash and a single quote"

BUT...

Bill's answer about parametrized queries using the mysqli or PDO APIs is really, really good advice. It's easier and more effective to let your database API handle this than to do it yourself -- the people who wrote these APIs (and the people who worked on the native backends for those APIs) have probably put more time and effort into addressing security and performance issues than most of us can hope to spend ourselves.

Weston C
Thank you all for the help. I really appreciate all the advice and the answers, they will go along way.
atwellpub
A: 

A simple str_replace("'", "\\'", $string) should work. But as Gumbo stated above, you should use the library functions if you're trying to escape MySQL queries.

JW