0

I am trying to load VCARD information into a database field as a long text string. In some cases the vcard information comes with a parameter that ends in "$_" (see second to last line). i cannot get php to bring this into the variable as string to escape it.

`$vcard = mysqli_real_escape_string($connection, "BEGIN:VCARD
    VERSION:3.0
    FN:Your Name
   N:Name;Your;;;
   EMAIL;TYPE=INTERNET;TYPE=WORK:your@email.here
   TEL;TYPE=CELL:
   ADR;TYPE=HOME:;;I am here;;;;
   ORG:Your organization
   TITLE:Owner and Co-Creator
   item1.URL:https\://yoursite.com
   item1.X-ABLabel:_$!<HomePage>!$_
          END:VCARD");`

i get a "Notice: Undefined variable: _ in C:" error. I can manually escape the second $ but that defeats the purpose. I tried metaquote() and that does not work either. Any help on how I can circumvent this error?

Kristin Yetter
  • 95
  • 1
  • 8

1 Answers1

0

Replace your double quotes by a single quotes. Variables within double quotes are interpolated while they are not when they are within single quotes.

$vcard = mysqli_real_escape_string($connection, 'BEGIN:VCARD
    VERSION:3.0
    FN:Your Name
   N:Name;Your;;;
   EMAIL;TYPE=INTERNET;TYPE=WORK:your@email.here
   TEL;TYPE=CELL:
   ADR;TYPE=HOME:;;I am here;;;;
   ORG:Your organization
   TITLE:Owner and Co-Creator
   item1.URL:https\://yoursite.com
   item1.X-ABLabel:_$!<HomePage>!$_
          END:VCARD');
Adrien
  • 1,929
  • 1
  • 13
  • 23
  • Thats a bit of a leap into the dark. How do you know thats what the OP is doing? Also Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Jul 02 '17 at 18:57
  • 1
    Looks like there are no params in the quoted text so no possibility of doing a SQL injection. Everything is hardcoded. – Adrien Jul 03 '17 at 09:09