which characters should be escaped when use php with database

Question

I'm have a simple HTML form, in which are there some input fields and textareas. Users are allowed to input any texts they want.

In my backend, I use PHP to insert these data into the database (in my case, PostgreSQL). However, I found some special characters, such as single quote, double quote, may lead to failures for SQL execution. I think backslash with other possible character may result in the same problem.

So can anyone list all these special characters I should be care of, or even better, can anyone suggest some simple but reliable methods to avoid such problem ?

If you do the database interaction right, there are no problems with such strings. How do you interact with your database? Are you trying to create SQL by hand? — hakre, Apr 28 '13 at 10:15
@hakre - It's getting so many duplicates that even Stack Overflow search engine can find it :) — Álvaro González, Apr 28 '13 at 10:18
May be this could help you [how to escape special character in mysql](http://stackoverflow.com/questions/881194/how-to-escape-special-character-in-mysql) — Subedi Kishor, Apr 28 '13 at 10:18
@KishorSubedi — Since the question states that the database isn't MySQL, not so much. — Quentin, Apr 28 '13 at 10:19
@Ensom - The question is not bad but we cannot type again the awesome answers it already has. I've removed the `html` tag because it doesn't need special handling. In SQL context, it's just *text*. — Álvaro González, Apr 28 '13 at 10:22
@hakre yes I am just using plain SQL statement in my php code? any better ways to do it ? — Ensom Hodder, Apr 28 '13 at 10:28
Yes, use prepared statements. You are using PostgreSQL anyway, you should adopt from the good practices it offers. It's a very fine database, be proud of it :) http://stackoverflow.com/search?q=%5Bphp%5D+prepared+statements+Postgres - Upvote questions and answers that help you along the way. — hakre, Apr 28 '13 at 10:30

which characters should be escaped when use php with database

0 Answers0