Jump to content

Best way to handle double quotes? "How?"

benphp

By benphp
in Microsoft SQL - MSSQL

 Share

Recommended Posts

benphp Regular Member

benphp

Posted
  • Author
Posted

I think I may have done it. I'm used to massaging strings to input into mysql, so I was probably overdoing it.

 

When updating the DB, I first run the string through fnTick:

 

function fnTick($string) {
$string = str_replace("'", "''", $string); 
return $string;
}

 

This takes care of the single quotes (or apostrophes) for my SQL statement. The db removes the second single quote for me - thanks, db.

 

UPDATE mytable 
SET 
desc = 'My test string here is "tester" test "quote" test''s',
name = 'This is "test''s"  ''test'' working "tester" test "quote" test''s Here''s another line "quote" '
WHERE 
ID = 737

 

Note that the values for the db fields are delineated by single quotes (desc='string in here'), so I only need to double up single quotes ' ', so actual double quotes, or quotation marks, are passed through without a problem - I don't need to worry about them going INTO the db, but I do need to fix them coming OUT of it. I first tried doubling up both single and double quotes as suggested, but mssql retains double double quotes ("") - it only filters out double single quotes ('').

 

Once it's in the db with the correct double and single quotes, I have to be careful when pulling it out and displaying it in HTML. So, when I read from the db, I run all user strings through htmlspecialchars:

 

function fnUnTick($string) {
$string = htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
return $string;
}

 

Sure would be easier if all dbs had some other way to delineate their SQL - something like <mssql>select from...</mssql>

 

:D

kicken Prolific Member

kicken

Posted
Posted

Sure would be easier if all dbs had some other way to delineate their SQL - something like <mssql>select from...</mssql>

They do, it's called a prepared statement.  You send the SQL and the data in separate streams so there is no need to escape it at all.

 

kicken Prolific Member

kicken

Posted
Posted

Even if you prepare a statement, you still have to fix your apostrophes in the preparation. The delineation issue is more of a PHP puzzle than a db one.

 

No you don't.  If you use a prepared statement (properly) you don't have to do any kind of escaping what so ever.  When you do a prepared statement the data is sent separate from the query so there's no chance it will get mixed together and cause problems.

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.