$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
SELECT `select` FROM myTable
SELECT select FROM myTable
@Brett Not a problem, I've added just a bit more to the end of the answer.
A lot of this can be handled for you by simply passing your values through mysql_real_escape_string(). In the example below you can see that we're passing user-submitted data through this function to ensure it won't cause any problems for our query:
Any quote that is preceded by a slash is escaped, and understood to be part of the value of the string.
Escaping a string means to reduce ambiguity in quotes (and other characters) used in that string. For instance, when you're defining a string, you typically surround it in either double quotes or single quotes:
It should be noted that performing string-escaping to combat the problems of SQL Injection is considered bad practice and can easily lead to security problems if not performed properly (especially when dealing with certain types of malformed multi-byte character attacks). Please never string-escape for this reason and use parameterised sql queries, or stored procedures instead.
Now I have ambiguity - the interpreter doesn't know where my string ends. If I want to keep my double quotes, I have a couple options. I could use single quotes around my string:
Other methods exist for escaping strings, such as add_slashes, addcslashes, quotemeta, and more, though you'll find that when the goal is to run a safe query, by and large developers prefer mysql_real_escape_string or pg_escape_string (in the context of PostgreSQL.
This removes the confusion we've introduced by using poor judgment in selecting field names.
We've now introduced some ambiguity into our query. Within our query, we can reduce that ambiguity by using back-ticks:
When it comes to queries, MySQL has certain keywords it watches for that we cannot use in our queries without causing some confusion. Suppose we had a table of values where a column was named "Select", and we wanted to select that:
you said a lot of this can be handled for you by simply passing your values through 'mysql_real_escape_string()' can you expand your answer to tell us what can't or is that a big ask?