Escaping characters..

Anon

I've been told the following:

quote:
"Possibly you have some data in one of those variables that is corrupting your query string. Echo the $sql_update string and check the statement. You may have some characters that need to be <b>escaped</b>."

What does it mean to escape characters?

Anon

If you have a quote inside a quote:

$form_input = "cat's name";

$sql = "INSERT INTO tbl VAUES('$form_input')";

But if you output the query, you'll see it's:

INSERT INTO tbl VALUES('cat's name')

therefore, there's a conflict with the single quotes. Similar case with double quote and may be others...

Diego

Anon

To "escape" a character means to stick some special character into the string immediately before it to tell whatever is supposed to be reading the string that "what follows is to be treated specially". It is also used to indicate that a character that is usually treated specially is to be treated normally.

In this case (SQL), since ' has a special meaning in a SQL query in that it marks the beginning or end of a text value, it has to be escaped when you're using it inside the value (like I did just a few words back).

Allegedly, in SQL you're supposed to use a ' character to escape a ' character, but that's always seemed dodgy to me. An alternative that is also used (in many languages, including PHP) is the backslash \ character.

In Diego Huang's example:

INSERT INTO tbl VALUES('cat\'s name')

SQL will go through this, reach the first ' and start reading what follows as text, then it hits the \ which tells it to treat the next character differently from how it normally would. It's a ', which would normally tell it that this was the end of the text, but it's been escaped, so instead it just gets read as a ' that is part of the text. It continues on until it gets to the last ' which does end the text.