0

Why should we escape double quotes,single quotes creating queries in PHP? are there any particular benefits when doing that? or it is just a good practice?

user962206
  • 15,637
  • 61
  • 177
  • 270
  • 3
    because of bobby tables... http://xkcd.com/327/ (read up on sql injection http://en.wikipedia.org/wiki/SQL_injection ) – Gryphius Jun 11 '12 at 05:43
  • Note: It is not sufficient to only escape double and single quotes. For example in MySQL you need to escape backslashes as well. So do not escape yourself, but use the provided functions (e. g. [mysql_real_escape_string](http://php.net/manual/de/function.mysql-real-escape-string.php)). Even better: Use parametrized queries instead of concatenating the values directly into the query string. – Hendrik Brummermann Jun 11 '12 at 06:04

3 Answers3

3

It is required to make your queries work and secure. Consider the following code:

$name = "O'reilly";
$sql  = "INSERT INTO users (name) VALUES ('$name')";

The result SQL would become like this:

INSERT INTO users (name) VALUES('O'reilly');

Which simply doesn't work. It needs to be properly escaped:

INSERT INTO users (name) VALUES('O\'reilly');

The same applies for other special chars.

Prevent SQL injection

Consider this query:

DELETE FROM users WHERE username='$username';

Where $username is obtained from $_POST. If an attacker managed to post string like ' OR 1; -- as the $username then the query becoming this:

DELETE FROM users WHERE username='' OR 1; -- ';

which is valid and the WHERE always evaluates to true and you will have to give good explanation to your angry users.

See also: Best way to prevent SQL Injection in PHP

Community
  • 1
  • 1
flowfree
  • 16,356
  • 12
  • 52
  • 76
  • I see, but how does this prevent MySQL Injection? – user962206 Jun 11 '12 at 05:53
  • In case someone enters their name as `'); DROP TABLE users; --`. Though, mysql will only execute one query, so a more likely attack might be during login: `SELECT * FROM users WHERE username = '' OR 1; -- AND password = ...` – nickf Jun 11 '12 at 06:02
  • @user962206 I added an example for SQL injection. – flowfree Jun 11 '12 at 06:08
0

If you do not escape quotes, The query ends at the place of single quotes. So your query will not be executed successfully!

E.g.

$qry = "SELECT * FROM user WHERE email='test@test.com'";

It works fine but if any one enters email='test'@test.com' then query ends at 'test' only and not find any rows with that one.

So it prevents also a sql injection!

Udit Trivedi
  • 246
  • 3
  • 14
  • How does escaping quotes prevent SQL injections? – user962206 Jun 11 '12 at 05:53
  • In such conditions where you fetching value from query string and it used for fetching data from db, at that time if you escape the quotes you can prevent sql injection. i.e. if you are passing name=test in the query string, and someone changes it to name=te'st it can be harm your db. – Udit Trivedi Jun 11 '12 at 05:59
0

s, to prevent from SQL injection attacks. To know SQL injection http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php http://www.homeandlearn.co.uk/php/php13p5.html

To prevent PHP Sql injection https://stackoverflow.com/a/60496/781181

Community
  • 1
  • 1
Jayabal
  • 3,619
  • 3
  • 24
  • 32