PHP SQL Quotes and Quoting

This example illustrates different ways to define single and double quotes in the php application with sql query.

PHP SQL Quotes and Quoting

PHP SQL Quotes and Quoting

     

This example illustrates different ways to define single and double quotes in the php application with sql query.

In php page, if user enters data containing single quote then it may cause error while manipulating the data with the database.

For example, In any page, if user enters the value like:

User Name: suman 
Email: [email protected]

Then the query to insert the information will be as follows, which is absolutely correct according to the Sql syntax.

 

 

 

INSERT INTO users (username, email) VALUES ('suman', '[email protected]');

But if user enters the values like:

User Name: sum'an 
Password: [email protected]

Then the query to insert the information will be as follows, which is not correct according to the Sql syntax. So it shows fatal error in the page.

INSERT INTO users (username, email) VALUES ('sum'an', '[email protected]');

If you want the user may enter the values like above then you have to handle the situation by adding back slash before each single quote i.e. ' should be replaced by \'. You can do so by passing the value to the addslashes() method in php.

Table: users before insertion

Source Code of sql_quotes.php 

<?php
  $con = mysql_connect("localhost","root","root");
  if (!$con) {
  die('Could not connect: ' . mysql_error());
  }

  mysql_select_db("test", $con);

  $user = "sum'an";
  $email  = "[email protected]";
  
  $newuser = addslashes($user);

  $query = "INSERT INTO users (username, email) VALUES 
  ('$newuser', '$email')" or die(mysql_error();
  mysql_query($query);

  $result = mysql_query("SELECT * FROM users ORDER BY username desc");
  echo "<table border='1'>
  <tr>
  <th>Name</th>
  <th>Email</th>
  </tr>";
  while ($row = mysql_fetch_array($result)) {
  echo "<tr>";
  echo "<td>" . $row['username'] . "</td>";
  echo "<td>" . $row['email'] . "</td>";
  echo "</tr>";
  }
  echo "</table>";
  
  mysql_close($con);
?>

Download Source Code

Output: