katriar Posted January 8, 2010 Share Posted January 8, 2010 Hi, I am very new in PHP. I am trying to make a page which takes input from user and a php file will parse the same. In sql query there are two parameter one is of int data type and other one is varchar. It takes the correct input from the 1st page but the value for varchar field is not coming in double or single quotes [" ",' '] thats why mysql does not parse the data. My sql query is as below. $query= "select * from person where emp_id=" . $_POST['user'] . " and description=" . $_POST['user1'] . ""; Please suggest, Quote Link to comment https://forums.phpfreaks.com/topic/187694-double-quotes/ Share on other sites More sharing options...
Mchl Posted January 8, 2010 Share Posted January 8, 2010 Use mysql_real_escape_string Also lookup 'SQL injection' to see why it's important (apart from being able to parse quotes) Oh,and you also need to add some quotes in your query, whereever a string is expected $query= "select * from person where emp_id='$user' and description= '$user1' "; Quote Link to comment https://forums.phpfreaks.com/topic/187694-double-quotes/#findComment-990894 Share on other sites More sharing options...
PHP Monkeh Posted January 8, 2010 Share Posted January 8, 2010 Although looking up mysql_real_escape_string() is a good start, it's not the solution here. Just wrap single quotes around your strings: $query= "select * from person where emp_id='" . $_POST['user'] . "' and description='" . $_POST['user1'] . "'"; Quote Link to comment https://forums.phpfreaks.com/topic/187694-double-quotes/#findComment-990896 Share on other sites More sharing options...
cags Posted January 8, 2010 Share Posted January 8, 2010 If you need to use double quotes inside a string you need to escape them by using a backslash... $string = "This is \"how to escape characters\""; // alternatively just use single quotes $string = "This is 'how to not need to escape characters'"; Also you really should pass any value input by the user through mysql_real_escape_string. $query= "SELECT * FROM person WHERE emp_id='" . mysql_real_escape_string($_POST['user']) . "' AND description='" . mysql_real_escape_string($_POST['user1']) . "'"; Quote Link to comment https://forums.phpfreaks.com/topic/187694-double-quotes/#findComment-990899 Share on other sites More sharing options...
PravinS Posted January 8, 2010 Share Posted January 8, 2010 You can use this function function quote_smart($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not a number or a numeric string if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value; } Quote Link to comment https://forums.phpfreaks.com/topic/187694-double-quotes/#findComment-990900 Share on other sites More sharing options...
katriar Posted January 8, 2010 Author Share Posted January 8, 2010 Thanks for all the valuable replies. I used the monkesh's solution and it worked for me. Thanks a ton friend. Quote Link to comment https://forums.phpfreaks.com/topic/187694-double-quotes/#findComment-990906 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.