Escaping characters for SQL statements
These need escape slashes to be included in a string
-
Quote(‘)
-
Double Quote (”)
-
Backslash( \)
-
NUL(NULL Byte)
UPDATE… “That’s all” = “That’’s all”
-
Two single quotes will be entered in the SQL statement(phpMyAdmin) or will be required if driven by code
mysql_real_escape_string()
Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used.
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
Newer function
$query = "INSERT INTO subjects (
menu_name, position, visible
) VALUES (
'{$menu_name}', {$position}, {$visible}
)";
-
Quotes can cause problems with submitting to DB
Addslashes()
-
Returns a string with backslashes before characters that need to be quoted in database queries
-
Array[] (Append to Array)
-
Array[] will append to the array, taking the last indice+1
$thisArray[13] = “thirteen”;
$thisArray[] = “fourteen”;
- Log in to post comments