When should special characers be escaped inside strings?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • srbakshi
    New Member
    • Aug 2008
    • 18
    #1

    When should special characers be escaped inside strings?

    Hi all. I picked up the following code example from the php manual:
    Code:
    $link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
    OR die(mysql_error());

// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));
    My question is, shouldn't we be escaping the ' in the sprintf statement with backslashes? Like this? -->

    Code:
    $query = sprintf("SELECT * FROM users WHERE user=\'%s\' AND password=\'%s\'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));
    I'm kind of confused with all this. When are we supposed to put the backslashes?? Please somebody help.

    Also, while you pros are at it, I'll really appreciate it if you could tell me if these two strings are the same:

    String A:
    Code:
    char A[] = "Hello. 'How are you' "
    String B:
    Code:
    char B[] = "Hello. \'How are you\'"
    Because both print Hello. 'How are you' on the screen on using printf.
    Also, both have the same string lengths.

    I'm wondering why we need to escape the 's at all if they print the same string and are of the same length as well.

    Sorry if the question is uber-dumb.
    Thanks in advance,
    Sid
    Last edited by Atli; May 18 '09, 07:07 PM. Reason: Moved to the PHP forum, and the title cleaned up a bit.
    Tags: backslash, escape, escaping
    • Atli
      Recognized Expert Expert
      • Nov 2006
      • 5062
      #2
      Hi.

      If you open a string using double-quotes, there is no need to escape single-quotes inside that string. (And the other way around.)

      However, both will accept the escaped versions and convert them into their respective characters, just like they are supposed to.
      [code=php]
      // Both print exactly the same: John's name
      echo "John's name";
      echo "John\'s name";
      [/code]

      The only time you really need to escape a quote character is if it is within a string that it would otherwise close.
      Like a single-quote inside a single-quoted string.
      [code=php]
      echo 'John's name'; // Gives a parse error
      echo 'John\'s name'; // Works

      echo "John said: "What?""; // Gives a parse error
      echo "John said: \"What?\""; // Correct
      [/code]

      Does that answer you question?

      Edit.
      Looking closer at your bottom examples, they look like C/C++?
      In PHP, both strings would print the single-quotes as if the escape characters weren't there. In C/C++ however, I do not know.

        Comment

        • Markus
          Recognized Expert Expert
          • Jun 2007
          • 6092
          #3
          When dealing with SQL, you should always escape special characters.

            Comment

            • srbakshi
              New Member
              • Aug 2008
              • 18
              #4
              Thank you atli and Markus. That helped. :)
              -Sid

                Comment

                Previous template Next
                Working...