I am just getting familiar with SQL via PHP. I noticed that common escaping functions don't escape the backtick. Why is it so? Isn't the following a common example?
$sql = 'SELECT * FROM `' . $table . '`';
Asked
Active
Viewed 246 times
0
-
`backslash \ ` is the escape character . [Read Here](https://stackoverflow.com/questions/881194/how-do-i-escape-special-characters-in-mysql) – Martin Mar 16 '21 at 22:28
-
Does this answer your question? [How do I escape special characters in MySQL?](https://stackoverflow.com/questions/881194/how-do-i-escape-special-characters-in-mysql) – Martin Mar 16 '21 at 22:29
1 Answers
2
Common escaping functions are for the common use case of escaping data that is being supplied to a query. Even then, it is better to learn to use parameterized queries (often just called "prepared queries") which send the data to the database separately from the SQL, so that it doesn't need escaping at all.
It is very rare to need to generate SQL without knowing the name of the table or column you're querying. When it really is necessary, you should have a hard-coded list of allowed values - you don't want someone accessing your "users" table just by supplying an unexpected input to something that was intended for choosing between "categories" and "tags". In the extremely rare scenarios where that isn't appropriate, then yes, you might need some kind of escaping or validation that checks the name.
IMSoP
- 89,526
- 13
- 117
- 169
-
Thank U! Yeah I am aware of prepared queries and in fact the table var is checked against a whitelist. My Question was actually a thing of understanding why. Got it :-) – vor na Mar 17 '21 at 11:29