Page 1 of 1
Escaping a query string in php
Posted: Sun Feb 21, 2010 6:31 pm
by abcdefg
From what I read an apostrophe and a quote are the same thing in a php string. What is the right way to escape this string? I have tried a bunch of ways and I keep getting parse errors.
"Select * from userlogin where userlogin.username=".$_POST['UserName']." and userlogin.password = ".$_POST['Password']."\"";
Re: Escaping a query string in php
Posted: Sun Feb 21, 2010 6:33 pm
by flying_circus
Which database are you using? Some have native escape functions, which would be the best way.
Re: Escaping a query string in php
Posted: Sun Feb 21, 2010 6:40 pm
by manohoo
Not the most elegant solution, but try this:
Code: Select all
$un = $_POST['UserName'];
$p = $_POST['password'];
"Select * from userlogin where userlogin.username='$un' and userlogin.password = '$p'";
Re: Escaping a query string in php
Posted: Sun Feb 21, 2010 7:50 pm
by abcdefg
Im trying to query a postgresql database. I would need to use this function below so would I just give it the whole string like this?
http://php.net/manual/en/function.pg-escape-string.php
$selectquery = pg_escape_string("Select * from userlogin where username = $_POST['UserName'] and password = $_POST['Password']");
Re: Escaping a query string in php
Posted: Sun Feb 21, 2010 10:15 pm
by flying_circus
manohoo wrote:Not the most elegant solution, but try this:
Code: Select all
$un = $_POST['UserName'];
$p = $_POST['password'];
"Select * from userlogin where userlogin.username='$un' and userlogin.password = '$p'";
Manohoo, this doesnt appear to escape anything. Am I missing something?
Re: Escaping a query string in php
Posted: Sun Feb 21, 2010 10:43 pm
by flying_circus
PHP single quote and double quote are not treated equal. A single quote treats strings as a literal, while double quotes get processed. I was trying to find the manual page, but it escapes me at the moment. Consider the following code:
Code: Select all
<?php
$foo = 'bar';
print "The value of variable foo is: $foo."; // prints: The value of variable foo is: bar.
print 'The value of variable foo is: $foo.'; // prints: The value of variable foo is: $foo.
?>
abcdefg wrote:Im trying to query a postgresql database. I would need to use this function below so would I just give it the whole string like this?
http://php.net/manual/en/function.pg-escape-string.php
$selectquery = pg_escape_string("Select * from userlogin where username = $_POST['UserName'] and password = $_POST['Password']");
Yes, I would use pg_escape_string(); You want to escape any data that is coming from a foreign source. You dont need to escape the entire query string.
Code: Select all
<?php
$selectquery = sprintf("SELECT * FROM userlogin WHERE username='%s' AND password='%s';",
pg_escape_string($_POST['UserName']),
pg_escape_string($_POST['Password']));
?>
Re: Escaping a query string in php
Posted: Mon Feb 22, 2010 8:52 am
by ansh9d
try to use
"Select * from userlogin where userlogin.username='".$_POST['UserName']."' and userlogin.password = '".$_POST['Password']."'";