Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Preparing SQLite SQL statements in PHP

Tags:

sql

php

sqlite

escaping

I'm trying how best to prepare my SQLite SQL strings in PHP. The SQLite3 class comes with an escapeString() function, but here are my issues:

Try 1)

$sql = "INSERT INTO items ('id','content','title','created') VALUES ('4e7ce7c18aac8', 'Does this work', NULL, '2011-09-23T16:10:41-04:00');";
$sql = SQLite3::escapeString( $sql );
echo ($sql);

This results in a string that's all jacked up:

INSERT INTO items (''id'',''content'',''title'',''created'') VALUES (''4e7ce7c18aac8'', ''Does this work'', NULL, ''2011-09-23T16:10:41-04:00'');

Those aren't double quotes, rather doubled-up single quotes. Obviously won't work.

Try 2)

$sql = 'INSERT INTO items ("id","content","title","created") VALUES ("4e7ce7c18aac8", "Does this work", NULL, "2011-09-23T16:10:41-04:00");';
$sql = SQLite3::escapeString( $sql );
echo ($sql);

This results in:

INSERT INTO items ("id","content","title","created") VALUES ("4e7ce7c18aac8", "Does this work", NULL, "2011-09-23T16:10:41-04:00");

This query works fine, but the escapeString function hasn't modified anything as there's nothing to escape...

Try 3)

$sql = 'INSERT INTO items ("id","content","title","created") VALUES ("4e7ce7c18aac8", "Doesn't this work", NULL, "2011-09-23T16:10:41-04:00");'; $sql = SQLite3::escapeString( $sql ); echo ($sql);

Here's the big problem- Now I have an apostrophe in one of my values. It won't even make it to escapeString() because PHP will throw an error on the invalid string:

PHP Parse error: syntax error, unexpected T_VARIABLE, expecting ',' or ';'

How am I supposed to be approaching this? Keep in mind that in the actual code my parameter values will be variables, so am I supposed to escape each variable before I pass it into the string? If so, what function do I use?

Finally, what's the point of escapeString()?? I can't figure out how it's supposed to be used correctly.

like image 231
Yarin Avatar asked Dec 07 '22 19:12

Yarin

1 Answers

You don't escape the entire query. You escape unsafe data you're inserting into the query, e.g.

$unsafe = $_GET['nastyvar'];
$safe = SQLite3::escapeString($unsafe);
$sql = "INSERT INTO table (field) VALUES ($safe);";
echo ($sql);
like image 137
Marc B Avatar answered Dec 10 '22 12:12

Marc B
Sign in to Comment

Related questions

PHP Time() to Google Calendar Dates time format
a more simple way to code in php "if ( $x == $a[1] || $x == $a[2] || $x == $a[3] ....)
How to log user out due to inactivity
Magento: how to show standard error/success message using JS in admin panel?
PHP delay redirect back to a page
Does "mysql_query() or die()" leave open mysql connection?
Extracting JSON from cURL results
PHPUnit mocking - fail immediately when method called x times
Return only the shortcode from post?
doctrine2 native query update statement
Primary Key from 1 to 01, 2 to 02, etc
Is it realistic to start using unit testing when you're almost done?
PHP and Money, converting money to cents
PHP - file_get_contents() with variable in string?
php function to convert %3c back to html
Weird bug when variable takes the value of a object
Drupal 7 get teaser with field_view_value()
Problem with simple regular expression
What is tab injection?
PHP regex for valid XML tag name

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!