[thelist] Single and double quotes - forms and mysql

Renoir B. renoirb at gmail.com
Tue Sep 24 09:27:10 CDT 2013

Hello Bob,

I might sound like a Duty call intervention [6], but I think you might see
what I mean by the following sample.

I know what you are doing and what I am saying is that you are using a 10+
y. old technique that is deprecated.

My recommendation is to use PDO and/or PHP's filter functions [1][2], but
please, not mysql_real_escape_string as it *IS** deprecated* (look at the
notice on top of the page) [0].

Would do much better than using the deprecated mysql_real_escape_string and
a concoction of  str_replace.  Also that it ignores UTF-8 characters and
you would have to use mb*replace [7].

Some people might want to insert a U+1F4A9 [8] character someday in their

Therefore, as I was recommending (with code samples):

*Use PHP native filters*

    $title = filter_input(INPUT_POST,
$_POST['form']['title'], FILTER_SANITIZE_STRING);

*And/Or using PDO:*

I am not sure if PDO escapes strings already with the quote() [9]  method,
but the prepare() [10] method is taking care of it.

    /* Initialize, see http://www.php.net/manual/en/pdo.construct.php [5] */
    $conn = new PDO('mysql:dbname=testdb;host=', $dbuser, $dbpass);

    try {
        $sth = $dbh->prepare('SELECT name, colour, calories FROM fruit
WHERE calories < :calories AND colour = :colour');
        // See the third argument, it is a PDO::PARAM_* constant :
        //    - http://php.net/manual/en/pdostatement.bindparam.php  [3]
        //    - http://www.php.net/manual/en/pdo.constants.php  [4]
        $sth->bindParam(':calories', $_POST['calories'], PDO::PARAM_INT);
        $sth->bindParam(':colour', $_POST['colour'], PDO::PARAM_STR, 12);
    } catch(Exception $e) {
        // Ensure that it is not commited by rolling back the query
        // Assuming this block is not in a view, it should grab this throw,
from an other try..catch block where this block is called from
        throw $e;

*Field association*
Also, I see that you seem to hardcode field association with the database.

The best is to also use form as an array (e.g. fields
name="register[fname]") and have either a mapping to get to/from the

Then you could create a mapping of each field and their type (defining the
appropriate PDO::PARAM_INT). Then loop from the $_POST['form'] fields array
and add data from the mapping.

Finaly, run $sth->bindParam() on each of them.

But I just described what Doctrine2 does in part. :]


Hope this applied sample connected dots for you :)

  [0]: http://php.net/manual/en/function.mysql-real-escape-string.php
  [1]: http://www.php.net/manual/en/filter.filters.php
  [2]: http://www.php.net/manual/en/function.filter-input.php
  [3]: http://php.net/manual/en/pdostatement.bindparam.php
  [4]: http://www.php.net/manual/en/pdo.constants.php
  [5]: http://www.php.net/manual/en/pdo.construct.php
  [6]: http://xkcd.com/386/
  [7]: http://php.net/manual/en/function.mb-ereg-replace.php
  [8]: http://www.fileformat.info/info/unicode/char/1f4a9/index.htm
  [9]: http://php.net/manual/en/pdo.quote.php
  [10]: http://www.php.net/manual/en/pdo.prepare.php


*Renoir Boulanger * |  Frontend & Software developer
https://renoirboulanger.com/ <https://renoirboulanger.com/#is>  ✪

More information about the thelist mailing list