Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Whats does pg_escape_string exactly do?

Tags:

php

postgresql

I'm using the following script which takes the data from a html form and stores in a Postgres DB. There is this pg_escape_string function which stores the value from the form to the php variable. Searching the web throughout, I found that pg_escape_string escapes a string for insertion into the database. I'm not much clear on this. What does it actually escaping? What actually happens when its said that a string is escaped?

<html>
   <head></head>
   <body>       

 <?php
 if ($_POST['submit']) {
     // attempt a connection
     $dbh = pg_connect("host=localhost dbname=test user=postgres");
     if (!$dbh) {
         die("Error in connection: " . pg_last_error());
     }

     // escape strings in input data
     $code = pg_escape_string($_POST['ccode']);
     $name = pg_escape_string($_POST['cname']);

     // execute query
     $sql = "INSERT INTO Countries (CountryID, CountryName) VALUES('$code', '$name')";
     $result = pg_query($dbh, $sql);
     if (!$result) {
         die("Error in SQL query: " . pg_last_error());
     }

     echo "Data successfully inserted!";

     // free memory
     pg_free_result($result);

     // close connection
     pg_close($dbh);
 }
 ?>       

    <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
      Country code: <br> <input type="text" name="ccode" size="2">  
      <p>
      Country name: <br> <input type="text" name="cname">       
      <p>
      <input type="submit" name="submit">
    </form> 

   </body>
 </html>
like image 426
Sri Hari Charan Avatar asked Sep 01 '11 04:09

Sri Hari Charan

Video Answer

2 Answers

Consider the following code:

$sql = "INSERT INTO airports (name) VALUES ('$name')";

Now suppose that $name is "Chicago O'Hare". When you do the string interpolation, you get this SQL code:

INSERT INTO airports (name) VALUES ('Chicago O'Hare')

which is ill-formed, because the apostrophe is interpreted as a SQL quote mark, and your query will error.

Worse things can happen, too. In fact, SQL injection was ranked #1 Most Dangerous Software Error of 2011 by MITRE.

But you should never be creating SQL queries using string interpolation anyway. Use queries with parameters instead.

$sql = 'INSERT INTO airports (name) VALUES ($1)';
$result = pg_query_params($db, $sql, array("Chicago O'Hare"));
like image 189
Ryan Culpepper Avatar answered Sep 20 '22 04:09

Ryan Culpepper

pg_escape_string() prevent sql injection in your code

like image 28
tttony Avatar answered Sep 23 '22 04:09

tttony
Sign in to Comment

Related questions

Email piping with php script
codeigniter 2 uses pdo or php mysql function for it's active record?
Mysql query : date_format and sprintf()
Commenting/skipping markup with Smarty
Is it ever okay to have a class as a collection of methods and no properties?
How to output a string with a double quotation mark?
Codeigniter issue with escaping values when passing array to query with "in" in the where clause
EC2 Ubuntu mysql_connect function causing 500 Internal Server Error
DOMDocument::saveHTML($domnode) in PHP 5.2?
how to avoid output foreach error?
WordPress: Custom Users not Appearing in Author box
Getting contents of a div with PHP's DOM
How do I convert a PDF to text so I can parse that text with PHP?
PHP sort array by subset
Php: Parentheses when creating new object? [duplicate]
Magic Quotes Off, Still Slashes
Method missing in Java or PHP
How to pass null value using ajax to PHP?
PHP mysql search queries
PHP - Filenames in HTTP-headers: Problem with whitespaces

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!