I have insert to columns with single quotes. As $this->db->query already takes care of all the special character. But my problem is i to insert data like ganesh's when the insertion takes place, only ganesh is inserted; data after the single quotes are missing. So i started using $this->db->escape but this adds single quotes to my data which is not required how to prevent this
my code
$sql="insert into tablename (list_name,list_address) values(?,?)"
$res=this->db-query($sql,array($name,$add));
MY mistake was in front end. Not back end. I will delete the question.
In cases of complex queries i find it easier to just send raw query like this :
$query = "your query";
$result = $this->db->query($query);
Don't forget to escape variables before inserting them to the query like this :
$var = $this->db->escape($var);
If you want to save the data with the single quote you will need to add slashes to the data before saving it to the database like this:
$sql="insert into tablename (list_name,list_address) values(?,?)";
$res=this->db-query($sql,array(addslashes($name), $add));
then save that into your database, after doing this you will most likely need to use stripslashes() to remove the slashes from the data before you output it to the browser.
Related
I'm currently using PDO connection for perform some mysql queries and since I use the command $conn->prepare("HERE THE QUERY") I want to know how to format characters like quotes and double quotes.
When I have cases like this one:
$conn->prepare("SELECT * FROM ('SELECT DISTINCT (user_id) FROM table1')");
This is fine because in the nested SELECT there isn't a particular character that can cause problems. But how can we handle special cases like that?
Here a strange example (forget the mysql.. this is quite irrelevant, focus on the quotes situation) with quotes and double quote inside the nested SELECT:
$conn->prepare("SELECT * FROM ('SELECT user_id, CONCAT('[\"",GROUP_CONCAT(DISTINCT(cat) ORDER BY user_id DESC SEPARATOR "\",\""),"\"]') cat_grouped FROM table_1') select1");
What should be the right quotation mark syntax according to this example query? If i use ' instead of " when I prepare the query the problem is quite fixed, but I want to understand if there is a smart way to maintain the double quotes.
firstly I recommend using single quotes - they're faster :D
The main issue is using the same quotes with each other. Doing this causes pre-mature closing, and I'm sure you'd like to save that pre-mature embarrassment.
See in simple terms:
"string has star"ted"
As you can see, the first double quote the file gets to is the one after star. This closes the string after star, rendering the ted" in a fatal error.
What you want to do is escape the quotes that conflicts with the opening quote. Single quotes inside double quotes are fine, and vice versa.
Escape single quotes inside single quotes and double quotes inside double quotes - the rest should be ok to leave. Also I recommend using backticks for your mysql tables and fields to avoid some errors down the road if they deiced to add some new keyword that just so happens to match your table/field name
e.g.
if using single quotes:
$conn->prepare('SELECT * FROM table WHERE string_field = \'value\'');
if using double quotes:
$conn->prepare("SELECT * FROM table WHERE string_field = \"value\"");
if mixing:
$conn->prepare('SELECT * FROM table WHERE string_field = "value"');
\ is the escape character used for situations like this :)
The alternative is concatting strings:
$conn->prepare('SELECT * FROM table WHERE field = '. $foo);
so breaking it up, you declare string same was as usual with preferred quotes, then to add stuff to it, you use . to concat
I am trying to insert the following query and I get syntax errors. Can you please help me with the below query:
INSERT INTO ABCTABLE (COLUMN1) values ('DECODE(MDSE_CD,NULL,'0000000000000000',LPAD(TO_NUMBER(MDSE_CD,'16',' '))');
Since you haven't really said anything other than "this query doesn't work, fix it", I have to take a stab in the dark what you want. From the query you have, I'm therefore guessing you want the value of the column to be DECODE(MDSE_CD,NULL,'0000000000000000',LPAD(TO_NUMBER(MDSE_CD,'16',' '))
In which case, you have to escape the single quotes within your string literal. Do this by doubling up the quotes:
INSERT INTO ABCTABLE (COLUMN1)
VALUES ('DECODE(MDSE_CD,NULL,''0000000000000000'',LPAD(TO_NUMBER(MDSE_CD,''16'','' ''))')
Try properly escaping the inner single quotes
INSERT INTO ABCTABLE (COLUMN1)
VALUES ('**DECODE**(MDSE_CD,NULL,''0000000000000000'',**LPAD**(TO_NUMBER(MDSE_CD,''16'','' ''))');
The problem is the use of quote marks. If we tried to break up your query it would look like this:
INSERT INTO ABCTABLE
(COLUMN1)
values
(
'DECODE(MDSE_CD,NULL,'
0000000000000000
',LPAD(TO_NUMBER(MDSE_CD,'
16
','
'))'
);
...which clearly makes no sense.
You might want to think about how to escape a quote mark inside a string.
Sql Server:
DECOD function in Sql Server can be replaced with CASE construct
LPAD function in Sql Server has not a direct correspondence but you can pad your string using string manage function REPLACE (replicate a character a number of specified times)
My Sql:
DECOD function in MySql can be replaced with CASE construct
LPAD function in MySql is existent
What do you want to store... a string literal 'DECODE(MDSE...))', or did you want to call a function to derive a value?
To store a string literal containing single quotes, you need to "escape" each single quote within the string with an extra single quote, e.g.
O'Hare Int'l ==> 'O''Hare Int''l'
The DECODE function is Oracle specific. That expression will need to be rewritten using different functions in both MySQL and SQL Server.
I'm attempting to get an entry into a database with a single quote in the string. My problem is that it is going into the database with the escape included in the string.
when I run:
$var = "'12 Toyota 4Runner";
$sql=$pdo->prepare("UPDATE $tbl_name SET description=:var WHERE id=:id");
$sql->execute(array(':id' => $id, ':var' => $var));
In my database, the entry will be "\'12 Toyota 4Runner"
Is there a way to remove the '\'?
Yes.
However, PDO has nothing to do with this quote - some other code is adding it.
Either get rid of magic quotes
And take out all the escaping functions from your code, especially from that "all protection function" loved by all the new users.
I want to store some values like "st paul's school" in mysql database. However due to the special symbol ' I am unable to store such values in mysql. I tried varchar datatype but it doesn't work. Please suggest a suitable method or datatype to store ' in mysql.
Add two single quotes like this '' or escape it like this \'
If you are doing it directly on MySQL Server, double the single quote and it will work. Example
INSERT INTO tableName VALUES ('St. Paul''s School')
But on front-end, use PreparedStatements for this.
If you are using PHP, use PDO or MySQLI extension on this to avoid SQL Injection. Please see thearticle below,
How to prevent SQL injection in PHP?
If u have variable with this apostrof use htmlentities
$your_var = "St. Paul's School";
$your_var = htmlentities($your_var);
INSERT INTO tableName VALUES ('$your_var')
If u have just string u can do double quotes like that
INSERT INTO tableName VALUES ("St. Paul's School")
Just replace the quote sign with it's entity.
If you are using php
<?php
$str = "st paul's school";
$str = str_replace("\'","ยด",$str);
$str = str_replace("\"",""",$str);
?>
You can also use
$str= htmlentities($str,ENT_QUOTES, 'UTF-8');
You can use mysqli_real_escape_string($text) to escape those ' in the text you are inserting to the database.
I'm getting the value of a field from a mysql database. The value has single quotes in both sides like this: 'foo'.
When I retrieve the data using a PHP method from the html template, I get this code:
'foo'
but I want it shows just 'foo' (with the quotes).
Any idea?
Javier
' is the ASCII code for apostrophe-quote.
If using PHP, use html_entity_decode() around the data being displayed from the database.
i.e. echo html_entity_decode($database_field_data);
http://www.php.net/manual/en/function.html-entity-decode.php
use str_replace.
echo str_replace("'" , "'" , $data['string']);