Page 1 of 1

Escaping a query string in php

Posted: Sun Feb 21, 2010 6:31 pm
by abcdefg
From what I read an apostrophe and a quote are the same thing in a php string. What is the right way to escape this string? I have tried a bunch of ways and I keep getting parse errors.

"Select * from userlogin where userlogin.username=".$_POST['UserName']." and userlogin.password = ".$_POST['Password']."\"";

Re: Escaping a query string in php

Posted: Sun Feb 21, 2010 6:33 pm
by flying_circus
Which database are you using? Some have native escape functions, which would be the best way.

Re: Escaping a query string in php

Posted: Sun Feb 21, 2010 6:40 pm
by manohoo
Not the most elegant solution, but try this:

Code: Select all

 
$un = $_POST['UserName'];
$p =  $_POST['password'];
 
"Select * from userlogin where userlogin.username='$un' and userlogin.password = '$p'";

Re: Escaping a query string in php

Posted: Sun Feb 21, 2010 7:50 pm
by abcdefg
Im trying to query a postgresql database. I would need to use this function below so would I just give it the whole string like this?

http://php.net/manual/en/function.pg-escape-string.php

$selectquery = pg_escape_string("Select * from userlogin where username = $_POST['UserName'] and password = $_POST['Password']");

Re: Escaping a query string in php

Posted: Sun Feb 21, 2010 10:15 pm
by flying_circus
manohoo wrote:Not the most elegant solution, but try this:

Code: Select all

 
$un = $_POST['UserName'];
$p =  $_POST['password'];
 
"Select * from userlogin where userlogin.username='$un' and userlogin.password = '$p'";
Manohoo, this doesnt appear to escape anything. Am I missing something?

Re: Escaping a query string in php

Posted: Sun Feb 21, 2010 10:43 pm
by flying_circus
PHP single quote and double quote are not treated equal. A single quote treats strings as a literal, while double quotes get processed. I was trying to find the manual page, but it escapes me at the moment. Consider the following code:

Code: Select all

<?php
  $foo = 'bar';
 
  print "The value of variable foo is: $foo.";  // prints: The value of variable foo is: bar.
  print 'The value of variable foo is: $foo.';  // prints: The value of variable foo is: $foo.
?>
abcdefg wrote:Im trying to query a postgresql database. I would need to use this function below so would I just give it the whole string like this?

http://php.net/manual/en/function.pg-escape-string.php

$selectquery = pg_escape_string("Select * from userlogin where username = $_POST['UserName'] and password = $_POST['Password']");
Yes, I would use pg_escape_string(); You want to escape any data that is coming from a foreign source. You dont need to escape the entire query string.

Code: Select all

<?php
  $selectquery = sprintf("SELECT * FROM userlogin WHERE username='%s' AND password='%s';",
                         pg_escape_string($_POST['UserName']),
                         pg_escape_string($_POST['Password']));
?>

Re: Escaping a query string in php

Posted: Mon Feb 22, 2010 8:52 am
by ansh9d
try to use
"Select * from userlogin where userlogin.username='".$_POST['UserName']."' and userlogin.password = '".$_POST['Password']."'";