From what I read an apostrophe and a quote are the same thing in a php string. What is the right way to escape this string? I have tried a bunch of ways and I keep getting parse errors.
"Select * from userlogin where userlogin.username=".$_POST['UserName']." and userlogin.password = ".$_POST['Password']."\"";
Escaping a query string in php
Moderator: General Moderators
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Escaping a query string in php
Which database are you using? Some have native escape functions, which would be the best way.
Re: Escaping a query string in php
Not the most elegant solution, but try this:
Code: Select all
$un = $_POST['UserName'];
$p = $_POST['password'];
"Select * from userlogin where userlogin.username='$un' and userlogin.password = '$p'";Re: Escaping a query string in php
Im trying to query a postgresql database. I would need to use this function below so would I just give it the whole string like this?
http://php.net/manual/en/function.pg-escape-string.php
$selectquery = pg_escape_string("Select * from userlogin where username = $_POST['UserName'] and password = $_POST['Password']");
http://php.net/manual/en/function.pg-escape-string.php
$selectquery = pg_escape_string("Select * from userlogin where username = $_POST['UserName'] and password = $_POST['Password']");
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Escaping a query string in php
Manohoo, this doesnt appear to escape anything. Am I missing something?manohoo wrote:Not the most elegant solution, but try this:Code: Select all
$un = $_POST['UserName']; $p = $_POST['password']; "Select * from userlogin where userlogin.username='$un' and userlogin.password = '$p'";
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Escaping a query string in php
PHP single quote and double quote are not treated equal. A single quote treats strings as a literal, while double quotes get processed. I was trying to find the manual page, but it escapes me at the moment. Consider the following code:
Code: Select all
<?php
$foo = 'bar';
print "The value of variable foo is: $foo."; // prints: The value of variable foo is: bar.
print 'The value of variable foo is: $foo.'; // prints: The value of variable foo is: $foo.
?>Yes, I would use pg_escape_string(); You want to escape any data that is coming from a foreign source. You dont need to escape the entire query string.abcdefg wrote:Im trying to query a postgresql database. I would need to use this function below so would I just give it the whole string like this?
http://php.net/manual/en/function.pg-escape-string.php
$selectquery = pg_escape_string("Select * from userlogin where username = $_POST['UserName'] and password = $_POST['Password']");
Code: Select all
<?php
$selectquery = sprintf("SELECT * FROM userlogin WHERE username='%s' AND password='%s';",
pg_escape_string($_POST['UserName']),
pg_escape_string($_POST['Password']));
?>Re: Escaping a query string in php
try to use
"Select * from userlogin where userlogin.username='".$_POST['UserName']."' and userlogin.password = '".$_POST['Password']."'";
"Select * from userlogin where userlogin.username='".$_POST['UserName']."' and userlogin.password = '".$_POST['Password']."'";