I am having a problem with mysqli_real_escape_string and single quotes.
Anytime an insert takes a value that includes a ' mysqli_real_escape_string replaces it with \' causing the insert to fail.
I do not have magic quotes enabled, which seems to be a common cause of this problem, but still find I get \' and not \' or even \\'
Can anyone tell me what might have gone wrong here?
taking this to an answer since comments are a bit limiting.
So you're generating the query like
$a = mysqli_real_escape_string(... something ...);
$b = mysqli_real_escape_string(... something else ...);
$sql = "INSERT ... VALUES ('$a', '$b')";
?
ok. so let's say this:
$a = "'"; // a is now a single quote: '
$escaped_a = mysql_real_escape_string($a); // should be \' now
$sql1 = "INSERT ... VALUES ('$a' ..."
$sql2 = "INSERT ... VALUES ('$escaped_a' ..."
you should end up with
INSERT ... vALUES (''' ...
INSERT ... VALUES ('\'' ...
The first one is "bad". because of the extra quote. The second is valid.
Related
I need to build a SQL statement to be submitted on a linked server. The statement makes use of #parameters and case statements which contain quotation marks.
I found this Microsoft article 'How to pass a variable', which seemed ideal, however I am not able to get everything going. It seems that the linked server is not enabled for the final and neatest suggestion of calling Sp_executesql, so I have been trying the first two examples.
To start with, here is a cut down example of my SQL statement on its own:
SELECT *,
CASE WHEN FLDA = 'ABC' THEN 'DEF' ELSE 'ABC' END AS COL1
FROM MYTABLE
WHERE FLDB = #PARM
1, I can get the query to work when excluding the CASE statement:
DECLARE #TSQL NVARCHAR(4000), #PARM NVARCHAR(10)
SET #PARM = 'ABC'
SET #TSQL = 'SELECT * FROM OPENQUERY(MYLINKEDSERVER, ''
SELECT *
FROM MYTABLE
WHERE FLDA = '''''+#PARM+''''''')'
EXEC (#TSQL)
However I don't understand why I require 5 quotes before #PARM and then 7(!) after it? When coding SQL statements in a string in previous languages just 2 quotations together acted as a single. So why 5 and 7?
2, I can't get the SQL to work at all when attempting to add the CASE statement. I have tried all combinations of 2,3,4 quotations but to no avail: Do I again need a certain amount of opening quotes and then a different amount of closing quotes?
DECLARE #TSQL NVARCHAR(4000), #PARM NVARCHAR(10)
SET #PARM = 'ABC'
SET #TSQL = 'SELECT * FROM OPENQUERY(MYLINKEDSERVER, ''
SELECT *,
CASE WHEN FLDA = ''ABC'' THEN ''DEF'' ELSE ''ABC'' END AS COL1
FROM MYTABLE
WHERE FLDA = '''''+#PARM+''''''')'
EXEC (#TSQL)
Any help greatly appreciated!
Cheers
Mark
my first question was why do I need 5 and 7 quotes, so there was no error message there, but I get the point that I could have listed some of the errors seen when I was getting the incorrect number of quotes.
However the tip to use Print was very useful, so thank you all for that!
So it transpires that I do indeed require a pair of
quotes where a single quote is required. However, as I am creating a SQL string within a string, I need to double that again. So I first need to end my string with a single quote and then add 4 quotes to create the double quote required to proceed the variable - hence 5. And likewise, I need 4 quotes to get a pair of quotes following the variable, another pair of quotes for the quote to end the statement and then a final one to wrap around the end bracket of the OPENQUERY command....I hope that sort of reads correct!
So:
WHERE FLDA = '''''+#PARM+''''''')'
Printed as:
WHERE FLDA = ''ABC''')
And for my CASE statement, I required 4 set of quotes, to equate to 2. So:
CASE WHEN FLDA = ''''ABC'''' THEN ''''DEF'''' ELSE ''''ABC'''' END AS COL1
Printed as:
CASE WHEN FLDA = ''ABC'' THEN ''DEF'' ELSE ''ABC'' END AS COL1
I'm trying to retrieve a simple graph consisting of some Assignments that are linked to each other, however after querying one set of those assignments, the Rid-s that are returned are all negative and have nothing to do with the Rid-s in the database, so I can't run other query-s based on those Rid-s, how should I go around this, or am I doing something wrong?
Here is the code snippet responsible:
$records = $this->client->queryAsync('select rID, value, schedule, priority, type from Assignment where type = 5');
foreach ($records as $record)
{
$id = $record->getRid();
$rid = $id->__toString();
$return[$rid] = $this->client->query('TRAVERSE out("Assignment") FROM ' . $rid . ' WHILE $depth <= 5');
}
and the error that I receive:
com.orientechnologies.orient.core.exception.ORecordNotFoundException: The record with id '#-2:0' was not found
However in the database the first id is: #18:0
Hi Pirate's Lost Pearl,
is probably a problem with the transactions, orientdb makes negative RID-s when they are temporary. After the commit, the RID-s are changed to positive, here the doc
There are a couple of errors in your code:
First off you should change your __toString(); into _toString(); using a single underscore.
Then fix the $this->client->query by either switching quotation marks at the end such as " WHILE $depth <= 5" or concatenate the variable while keeping the same quotes ' WHILE ' . $depth . ' <= 5'.
OrientDB Docs | getRid()
Below is my Perl script
str_replace(rtrim(c_manager),'''','_'),'."\n".
throws error
str_replace(rtrim(c_manager), '''"
Bad name after _' at pl_recert_output.pl line 262.
Please help to solve this issue:
$sql = 'select rtrim(f_admin_disabled),'."\n".
' convert(varchar,t_password,101),'."\n".
' rtrim(c_email),'."\n".
' str_replace(rtrim(c_manager),'''','_'),'."\n".
' rtrim(c_mgr_email)'."\n".
' from tuserprofile'."\n".
' where ic_user1 = '."'$user_id'"."\n";
You have single quotes within your single quoted string.
Single quotes within a quote string must be escaped with \'.
However, you would be better off using the multi-line quoting syntax for cleaner code:
$sql = <<EOF;
select rtrim(f_admin_disabled),
convert(varchar,t_password,101),
rtrim(c_email),
str_replace(rtrim(c_manager),'''','_'),
rtrim(c_mgr_email)
from tuserprofile
where ic_user1 = '$user_id'
EOF
;
This has the intended result without messy escaping and string concatenation.
You need to escape the single quotes in your variable assignment:
my $user_id = 'test';
my $sql = 'select rtrim(f_admin_disabled),'."\n".
' convert(varchar,t_password,101),'."\n".
' rtrim(c_email),'."\n".
' str_replace(rtrim(c_manager),\'\'\'\',\'_\'),'."\n".
' rtrim(c_mgr_email)'."\n".
' from tuserprofile'."\n".
' where ic_user1 = '."'$user_id'"."\n";
print $sql;
results in :
select rtrim(f_admin_disabled),
convert(varchar,t_password,101),
rtrim(c_email),
str_replace(rtrim(c_manager),'''','_'),
rtrim(c_mgr_email)
from tuserprofile
where ic_user1 = 'test'
Check if that is the result you expected.
this is my string
$mystring = "INSERT INTO `glpi_networkports` (`entities_id`,`is_recursive`,`items_id`,`itemtype`,`comment`,`logical_number`,`name`,`networkinterfaces_id`,`ip`,`mac`,`netmask`,`gateway`,`subnet`,`netpoints_id`)"
How can i ignore escape ?
Because it gave me string like this :
INSERT INTO glpi_networkports (entities_id,is_recursive,items_id,itemtype,comment,logical_number,
ame,
etworkinterfaces_id,ip,mac,
etmask,gateway,subnet,
etpoints_id)
Thanks
Currently your select statement is changed because you used a double quoted string and `n is expanded to a new line, turning the select to an invalid statement.
Use single quotes to maintain the backticks and disable string expansion.
use quote or double the escape char:
$mystring = "INSERT INTO 'glpi_networkports' ..."
$mystring = "INSERT INTO ``glpi_networkports`` ...
I am attempting to error trap a T-SQL variable name by making sure that the value of the variable is prefixed with a bracket "[".
Here's an example of how I am trying to do this:
DECLARE #thing nvarchar(20)
SET #thing = '[55555'
IF(#thing NOT LIKE '[' + '%') --If the value does not start with [ then add it
BEGIN
SET #thing = '[' + #thing
END
PRINT #thing
The example above PRINT's [[55555
Notice that the original value of #thing was prefixed with the bracket "[". I was expecting the IF condition would have returned false since "[55555" is LIKE '[' + '%'
Why is the IF condition not returning false? And, more importantly I suppose, what is the correct syntax to check for the existence of a string that occurs at the beginning of a variable string value?
EDIT
It appears as there is something special about the bracket "[". When I run LIKE on a bracket it doesn't do what I expect, but when I don't use a bracket the LIKE works the way I expect.
Check out these examples:
IF('[' NOT LIKE '[')
BEGIN
PRINT '[ is NOT LIKE ['
END
ELSE
BEGIN
PRINT '[ is LIKE ['
END
IF('StackO' NOT LIKE 'StackO')
BEGIN
PRINT 'STACKO is NOT LIKE StackO'
END
ELSE
BEGIN
PRINT 'STACKO is LIKE StackO'
END
Here's the output of the two conditions:
[ is NOT LIKE [
STACKO is LIKE StackO
I believe it may be because '[' is actually part of the LIKE operators syntax, as defined here: http://msdn.microsoft.com/en-us/library/ms179859.aspx
You need to define an escape character to escape the [, like this:
DECLARE #thing nvarchar(20)
SET #thing = '[55555'
IF(#thing NOT LIKE '\[%' ESCAPE '\' )
BEGIN
SET #thing = '[' + #thing
END
PRINT #thing
An alternative solution would be the following:
DECLARE #thing nvarchar(20)
SET #thing = '[55555'
IF(LEFT(#thing,1) <> '[') --If the value does not start with [ then add it
BEGIN
SET #thing = '[' + #thing
END
PRINT #thing
To get it working change your check to
IF (SUBSTRING(#thing, 1,1) != '[')
The reason why the like is not working is because [ is a special char in like. just like % is. See here
Bracket characters ([ and ]) are special wildcard characters in T-SQL. To search for those literal characters, you'll want to escape those characters (indicate that you want to search for those literal characters, rather than employing them as wildcards). Use ESCAPE to do this, like so:
DECLARE #thing nvarchar(20)
SET #thing = '[55555'
-- pick an escape character you won't see in your content
IF(#thing NOT LIKE '![' + '%' ESCAPE '!')
BEGIN
SET #thing = '[' + #thing
END
PRINT #thing
This prints [55555.
From MSDN:
You can search for character strings that include one or more of the special wildcard characters... To search for the percent sign as a character instead of as a wildcard character, the ESCAPE keyword and escape character must be provided. For example, a sample database contains a column named comment that contains the text 30%. To search for any rows that contain the string 30% anywhere in the comment column, specify a WHERE clause such as WHERE comment LIKE '%30!%%' ESCAPE '!'.
You have to escape special characters (brackets, single quotes, etc.). In this case, you could do this:
LIKE '[['
EDIT:
PS -- [ is a special character because it can be used for wildcards, like this: LIKE '[0-9]' to do pattern-matching. (In this case, the match is like a regex -- any digit between 0 and 9.