Re: [PHP] significance of escape character in string in PHP
On Mon, Mar 18, 2013 at 4:20 PM, Stuart Dallas wrote: > On 18 Mar 2013, at 15:08, Matijn Woudt wrote: > > > On Mon, Mar 18, 2013 at 2:19 PM, Sebastian Krebs >wrote: > > > >> 2013/3/18 Ken Robinson > >> > >>> > >>> > >>> On 18.03.2013 09:10, Norah Jones wrote: > >>> > I am having an string which was have few ' (single quote) and few " > (double quotes) and was not able to insert into the mysql database. I > have replaced them with \' and \" and everything is fine. > Though this are fine now but don't understand the working and I could > have missed few corner cases also. Please suggest the working and also > if there is some better way to achieve this. > > >>> > >>> You should be using either mysql_real_escape_string or > >>> mysqli_real_escape_string (preferably the later) depending on how > you're > >>> accessing the DB. > >> > >> > >> You shouldn't use ext/mysql at all! > >> Use prepared statements with PDO_MYSQL or MySQLi > >> > >> > > And here comes the flame war again... > > There's no need for it to be a flame war. The mysql extension is > officially not recommended for writing new code, so anyone using it should > be informed of this fact. I think it should consist of more than "don't use > that," but at the very least that should cause the questioner to want to > know why. > > http://php.net/intro.mysql > > This issue is problematic for exactly the reason Norah demonstrates above: > "it's working." Great that in this case it hasn't been left at that, but > most will see it work and think they've "got it right." I believe the > community has a responsibility to give good advice and recommend best > practices as well as directly addressing people's problems, so it's right > that things like this get repeatedly pointed out where appropriate. > > I know ext/mysql is deprecated, though is there any difference between the procedural mysqli vs ext/mysql, except that mysqli requires $link, whereas ext/mysql will take the last link opened? - Matijn
RE: [PHP] significance of escape character in string in PHP - MySQL
There's no need for it to be a flame war. The mysql extension is officially not recommended for writing new code, so anyone using it should be informed of this fact. I think it should consist of more than "don't use that," but at the very least that should cause the questioner to want to know why. http://php.net/intro.mysql This issue is problematic for exactly the reason Norah demonstrates above: "it's working." Great that in this case it hasn't been left at that, but most will see it work and think they've "got it right." I believe the community has a responsibility to give good advice and recommend best practices as well as directly addressing people's problems, so it's right that things like this get repeatedly pointed out where appropriate. -Stuart Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- Thanks, didn't know about this. No doubt it's been general news for months or years but I see the PHP manual page you linked to was edited 3 days ago. Will have to see what ADOdb is doing - the last release I saw didn't support PDO_MySQL or mysqli. I googled and saw a first release of 5.5 will be this month? Cheers Arno -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] significance of escape character in string in PHP
On 18 Mar 2013, at 15:08, Matijn Woudt wrote: > On Mon, Mar 18, 2013 at 2:19 PM, Sebastian Krebs wrote: > >> 2013/3/18 Ken Robinson >> >>> >>> >>> On 18.03.2013 09:10, Norah Jones wrote: >>> I am having an string which was have few ' (single quote) and few " (double quotes) and was not able to insert into the mysql database. I have replaced them with \' and \" and everything is fine. Though this are fine now but don't understand the working and I could have missed few corner cases also. Please suggest the working and also if there is some better way to achieve this. >>> >>> You should be using either mysql_real_escape_string or >>> mysqli_real_escape_string (preferably the later) depending on how you're >>> accessing the DB. >> >> >> You shouldn't use ext/mysql at all! >> Use prepared statements with PDO_MYSQL or MySQLi >> >> > And here comes the flame war again... There's no need for it to be a flame war. The mysql extension is officially not recommended for writing new code, so anyone using it should be informed of this fact. I think it should consist of more than "don't use that," but at the very least that should cause the questioner to want to know why. http://php.net/intro.mysql This issue is problematic for exactly the reason Norah demonstrates above: "it's working." Great that in this case it hasn't been left at that, but most will see it work and think they've "got it right." I believe the community has a responsibility to give good advice and recommend best practices as well as directly addressing people's problems, so it's right that things like this get repeatedly pointed out where appropriate. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] significance of escape character in string in PHP
On Mon, Mar 18, 2013 at 2:19 PM, Sebastian Krebs wrote: > 2013/3/18 Ken Robinson > > > > > > > On 18.03.2013 09:10, Norah Jones wrote: > > > >> I am having an string which was have few ' (single quote) and few " > >> (double quotes) and was not able to insert into the mysql database. I > >> have replaced them with \' and \" and everything is fine. > >> Though this are fine now but don't understand the working and I could > >> have missed few corner cases also. Please suggest the working and also > >> if there is some better way to achieve this. > >> > > > > You should be using either mysql_real_escape_string or > > mysqli_real_escape_string (preferably the later) depending on how you're > > accessing the DB. > > > You shouldn't use ext/mysql at all! > Use prepared statements with PDO_MYSQL or MySQLi > > And here comes the flame war again...
Re: [PHP] significance of escape character in string in PHP
2013/3/18 Ken Robinson > > > On 18.03.2013 09:10, Norah Jones wrote: > >> I am having an string which was have few ' (single quote) and few " >> (double quotes) and was not able to insert into the mysql database. I >> have replaced them with \' and \" and everything is fine. >> Though this are fine now but don't understand the working and I could >> have missed few corner cases also. Please suggest the working and also >> if there is some better way to achieve this. >> > > You should be using either mysql_real_escape_string or > mysqli_real_escape_string (preferably the later) depending on how you're > accessing the DB. You shouldn't use ext/mysql at all! Use prepared statements with PDO_MYSQL or MySQLi > > > Ken > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- github.com/KingCrunch
Re: [PHP] significance of escape character in string in PHP
On 18.03.2013 09:10, Norah Jones wrote: I am having an string which was have few ' (single quote) and few " (double quotes) and was not able to insert into the mysql database. I have replaced them with \' and \" and everything is fine. Though this are fine now but don't understand the working and I could have missed few corner cases also. Please suggest the working and also if there is some better way to achieve this. You should be using either mysql_real_escape_string or mysqli_real_escape_string (preferably the later) depending on how you're accessing the DB. Ken -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
