Results 1 to 7 of 7
  1. #1
    Join Date
    Feb 2005
    Posts
    14

    Unanswered: Escaping text fields in sql statements

    I know that I have to escape single quotes with a single quote, but do I still need to escape a text field with backslashes when inserting the data or is this done by the db? MySQL, SQLite and PgSQL have specific functions in PHP to do this.

  2. #2
    Join Date
    Sep 2004
    Location
    London, UK
    Posts
    565
    What is a "text field"?

  3. #3
    Join Date
    Aug 2003
    Location
    Where the Surf Meets the Turf @Del Mar, CA
    Posts
    7,776
    Provided Answers: 1
    I'm glad you know what in the world you are talking about, but I certainly don't.
    You mention four different s/w products, none of which are Oracle.
    You provided NO example of what you have tried or what you really want to do,
    what OS, which version of Oracle or what s/w client you are attempting to use.
    You're On Your Own (YOYO)!
    You can lead some folks to knowledge, but you can not make them think.
    The average person thinks he's above average!
    For most folks, they don't know, what they don't know.
    Good judgement comes from experience. Experience comes from bad judgement.

  4. #4
    Join Date
    Feb 2005
    Posts
    14
    I should have said a text column. A text field is a form input that receives text data and may have special chars. I mentioned that I knew that single quotes had to escaped with a single quote. I simply wanted to know if any other escaping was required for special chars in a string such as ampersands, backslashes, etc., that will be inserted. I found that SQL Server only requires that single quotes be escaped, so I am gonna assume that Oracle only requires that. The reason I need to know this is that I have a PHP class to access multi db types and each has its own quirks on how it handles gpc text data.
    Last edited by mtjo; 01-22-06 at 12:37.

  5. #5
    Join Date
    May 2004
    Location
    Dominican Republic
    Posts
    721
    No escaping is needed in Oracle if you are using BIND VARIABLES. That is, you dont do stuff like (if using ado in php): $db->execute("insert into table ( field ) values ('".$_POST['formfield']."')") .. you, instead, do: $db->execute("insert into table ( field ) values ( ? )", array($_POST['formfield']) ). And this not only applies to oracle, but for every other db out there (including SQL Server!).

  6. #6
    Join Date
    Feb 2005
    Posts
    14
    Actually, I am using prepared statements/binding and I rolled my own generic bind method to handle gpc data. The prob with PHP is that the "magic_quotes_gpc" setting may or may not be enabled on any given install and I wanted to be sure to remove all escaping (backslashes) from prepared queries if the db doesn't require it.

  7. #7
    Join Date
    May 2004
    Location
    Dominican Republic
    Posts
    721
    I believe it would really depends on the char set encoding type your DB is in (being it single or multi-byte) and of course, the operation you're about to apply. For inserts, I believe escaping just ' is *ok*. For selects and like operations, there.. ' and _ has both especial meaning and so on. Also, you might want to have a matching between the content-type encoding your forms uses and the db's one. But I still insist that if you use properly binding with your statements, that *shouln't* be a problem.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •