tags:

views:

93

answers:

4
+4  Q: 

How do you escape quotes in a sql query using php?

I have a query

$sql ="SELECT CustomerID FROM tblCustomer 
WHERE EmailAddress = '".addslashes($_POST['username']) ."' AND Password = '".addslashes($_POST['password']) ."'";

//  while printing,   it will be

SELECT CustomerID FROM tblCustomer WHERE EmailAddress = 'test@ab\'c.com' AND Password = '123'

if we executing this in a mysql server it works, but not in a sql server

what is the solution for this? . Iam using sql server

+3  A: 

for mysql

USE mysql_real_escape_string

http://php.net/manual/en/function.mysql-real-escape-string.php

like :

// Query
$query = sprintf("SELECT * FROM tblCustomer WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));

for mssql

look on the answers here :

http://stackoverflow.com/questions/574805/how-to-escape-strings-in-mssql-using-php

Haim Evgi  2010-07-15 05:18:09
Doesn't work for SQL server.
cHao  2010-07-15 05:38:16
This works only for MySQL, not MS SQL Server. The poster appears to want a solution that works in MS SQL Server too.
Asaph  2010-07-15 05:38:42
if we do like that, the query will output likeSELECT * FROM tblCustomer WHERE EmailAddress='' AND Password=''// form values are not outputing from mysql_real_escape_string
Linto P D  2010-07-15 05:39:57
i edit the answer
Haim Evgi  2010-07-15 06:07:53
I wish i could downvote this answer again. Your ms_escape_string function is the kind of stuff i pride myself on **not** doing -- the data should be validated by the caller, and if valid, should make it to the DB **unmodified**.
cHao  2010-07-15 06:15:18
its example i link to the original question.
Haim Evgi  2010-07-15 06:36:28
@haim evgi: And i downvoted the source of your example too. No quoting function should mangle data -- its whole purpose in life is to see that data makes it into the DB unaffected by the database's quote syntax.
cHao  2010-07-15 06:40:42
+7  A: 

addslashes() will escape single quotes with a leading backslash which is valid syntax in MySQL but not in MS SQL Server. The correct way to escape a single quote in MS SQL Server is with another single quote. Use mysql_real_escape_string() for MySQL (mysql_escape_string() has been deprecated). Unfortunately, no analogous mssql_ function exists so you'll have to roll your own using str_replace(), preg_replace() or something similar. Better yet, use a database neutral abstraction layer such as PDO that supports parameterized queries.

Asaph  2010-07-15 05:21:33
@Asaph: I'd +1 you, except that you linked to the same halfassed "quoting" function i just downvoted twice.
cHao  2010-07-15 07:14:32
@cHao: I didn't look carefully enough at that function before I linked to it. I didn't notice it was mangling data. Thanks for pointing that out to me. I've removed the link to the offensive function from my answer.
Asaph  2010-07-15 07:26:25
@Asaph: Much better. +1 :)
cHao  2010-07-15 07:33:18
+2  A: 

For MySQL, you want to use mysql_real_escape_string. addslashes does almost the same thing and has fewer letters, but apparently it gets some stuff wrong -- don't use it.

For SQL Server, it's a bit more complicated, as (1) MySQL quotes stuff non-standardly, and (2) i don't see a function made to quote stuff for SQL Server. However, the following should work for you...

$escaped_str = str_replace("'", "''", $unsafe_str);
cHao  2010-07-15 05:26:45
`addslashes()` was designed for a different purpose and gets one subtle case wrong. Don't use it for escaping for MySQL.
staticsan  2010-07-15 06:51:31
thanks,it works
Linto P D  2010-07-15 06:51:57
@staticsan: I kinda figured there was a reason there was a whole other function (with a deprecated previous version!) to quote MySQL strings. +1 for mentioning it. :) Edited my answer accordingly.
cHao  2010-07-15 06:58:54
+1  A: 

You shouldn't really be building the SQL statement dynamically as it's dangerous (and unnecessary). The correct thing to do is to use a paramerised query see http://msdn.microsoft.com/en-us/library/cc296201%28SQL.90%29.aspx

$sql ="SELECT CustomerID FROM tblCustomer WHERE EmailAddress = ? AND Password = ?";
$stmt = sqlsrv_query( $conn, $sql, array($_POST['username'], $_POST['password']));

This is much safer and means you don't have to worry about escaping characters. Another thing is beware of case sensitive / insensitve comparisons. For example if you wanted email address to be case insensitive but password case sensitive use something like:

$sql ="SELECT CustomerID FROM tblCustomer WHERE EmailAddress = ? COLLATE SQL_Latin1_General_CP1_CIAI AND Password = ? COLLATE SQL_Latin1_General_CP1_CSAS";
Joel Mansford  2010-07-15 23:06:25

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases