PHP SQL Quotes and Quoting
This example illustrates different ways to define single and double quotes
in the php application with sql query.
In php page, if user enters data containing single
quote then it may cause error while manipulating the data with the database.
For example, In any page, if user enters
the value like:
User Name: suman
Email: suman@email.com
Then the query to insert the information will be
as follows, which is absolutely correct according to the Sql syntax.
| INSERT INTO users (username, email) VALUES ('suman', 'suman@email.com'); |
But if user enters the values like:
User Name: sum'an
Password: suman@email.com
Then the query to insert the information will be
as follows, which is not correct according to the Sql syntax. So it shows fatal
error in the page.
| INSERT INTO users (username, email) VALUES ('sum'an', 'suman@email.com'); |
If you want the user may enter the values like above
then you have to handle the situation by adding back slash before each single
quote i.e. ' should be replaced by \'. You can do so by passing the value to the
addslashes() method in php.
Table: users before insertion
Source Code of sql_quotes.php
<?php
$con = mysql_connect("localhost","root","root");
if (!$con) {
die('Could not connect: ' . mysql_error());
}
mysql_select_db("test", $con);
$user = "sum'an";
$email = "suman@email.com";
$newuser = addslashes($user);
$query = "INSERT INTO users (username, email) VALUES
('$newuser', '$email')" or
die(mysql_error();
mysql_query($query);
$result = mysql_query("SELECT * FROM users ORDER BY username desc");
echo "<table border='1'>
<tr>
<th>Name</th>
<th>Email</th>
</tr>";
while ($row = mysql_fetch_array($result)) {
echo "<tr>";
echo "<td>" . $row['username'] . "</td>";
echo "<td>" . $row['email'] . "</td>";
echo "</tr>";
}
echo "</table>";
mysql_close($con);
?>
|
Download Source Code
Output:
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
