PHP :: Bug #362 :: simple and double quotation mark

Bug #362	simple and double quotation mark
Submitted:	1998-05-08 07:36 UTC	Modified:	1998-05-08 08:36 UTC
From:	fer at fert dot es	Assigned:
Status:	Closed	Package:	mSQL related
PHP Version:	3.0 Release Candidate 4	OS:	linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	fer at fert dot es
New email:
PHP Version:		OS:

New Comment:

[1998-05-08 07:36 UTC] fer at fert dot es

in a where clause you cannot use a variable containig simple
 or double quotation marks. However, if that variable comes
from a form, it works!
By the moment, we have solved the problem using a reg_replace
function changing ' with \', that is, escaping these naughty
characters.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[1998-05-08 08:36 UTC] zeev

This is not a bug in PHP, but a bug in the script...
The query that you're forming inside the double quotes
simply isn't a valid SQL query.
The reason it works with variables that come from forms,
is that you probably have magic_quotes_gpc turned on,
and magic_quotes_gpc automatically escapes any input
coming from GET/POST/Cookie variables, so no further
escaping is required.

To avoid the problem, you should run addslashes() on
the string before putting it into the query text, e.g.
$foo = addslashes($foo);

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2026 The PHP Group All rights reserved.	Last updated: Thu Jan 08 17:00:01 2026 UTC