Escaping a query string in php

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
abcdefg
Forum Newbie
Posts: 2
Joined: Sun Feb 21, 2010 6:26 pm

Escaping a query string in php

Post by abcdefg »

From what I read an apostrophe and a quote are the same thing in a php string. What is the right way to escape this string? I have tried a bunch of ways and I keep getting parse errors.

"Select * from userlogin where userlogin.username=".$_POST['UserName']." and userlogin.password = ".$_POST['Password']."\"";
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Escaping a query string in php

Post by flying_circus »

Which database are you using? Some have native escape functions, which would be the best way.
User avatar
manohoo
Forum Contributor
Posts: 201
Joined: Wed Dec 23, 2009 12:28 pm

Re: Escaping a query string in php

Post by manohoo »

Not the most elegant solution, but try this:

Code: Select all

 
$un = $_POST['UserName'];
$p =  $_POST['password'];
 
"Select * from userlogin where userlogin.username='$un' and userlogin.password = '$p'";
abcdefg
Forum Newbie
Posts: 2
Joined: Sun Feb 21, 2010 6:26 pm

Re: Escaping a query string in php

Post by abcdefg »

Im trying to query a postgresql database. I would need to use this function below so would I just give it the whole string like this?

http://php.net/manual/en/function.pg-escape-string.php

$selectquery = pg_escape_string("Select * from userlogin where username = $_POST['UserName'] and password = $_POST['Password']");
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Escaping a query string in php

Post by flying_circus »

manohoo wrote:Not the most elegant solution, but try this:

Code: Select all

 
$un = $_POST['UserName'];
$p =  $_POST['password'];
 
"Select * from userlogin where userlogin.username='$un' and userlogin.password = '$p'";
Manohoo, this doesnt appear to escape anything. Am I missing something?
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Escaping a query string in php

Post by flying_circus »

PHP single quote and double quote are not treated equal. A single quote treats strings as a literal, while double quotes get processed. I was trying to find the manual page, but it escapes me at the moment. Consider the following code:

Code: Select all

<?php
  $foo = 'bar';
 
  print "The value of variable foo is: $foo.";  // prints: The value of variable foo is: bar.
  print 'The value of variable foo is: $foo.';  // prints: The value of variable foo is: $foo.
?>
abcdefg wrote:Im trying to query a postgresql database. I would need to use this function below so would I just give it the whole string like this?

http://php.net/manual/en/function.pg-escape-string.php

$selectquery = pg_escape_string("Select * from userlogin where username = $_POST['UserName'] and password = $_POST['Password']");
Yes, I would use pg_escape_string(); You want to escape any data that is coming from a foreign source. You dont need to escape the entire query string.

Code: Select all

<?php
  $selectquery = sprintf("SELECT * FROM userlogin WHERE username='%s' AND password='%s';",
                         pg_escape_string($_POST['UserName']),
                         pg_escape_string($_POST['Password']));
?>
ansh9d
Forum Newbie
Posts: 2
Joined: Sun Feb 21, 2010 6:38 am

Re: Escaping a query string in php

Post by ansh9d »

try to use
"Select * from userlogin where userlogin.username='".$_POST['UserName']."' and userlogin.password = '".$_POST['Password']."'";
Post Reply