PHP How add quotes?

Question

$sqlL = '';
$Allel = '';
foreach($arr as $el){
    $AllUrl .= ",'".addslashes($el)."'";
    $sqlL .= "INSERT INTO Table (ID, Seet, Column) VALUES ('4', '$Seet', '$el');";
}

        $AllUrl = substr($Allel, 1); //delete first comma
        $sqlL .= "DELETE FROM Table WHERE ID= '4' AND URL NOT IN($Allel);";

In result we get next $sqlL:

DELETE FROM Table WHERE ID= '4' AND URL NOT IN(house, test, test test);

But in not right and this it will not work.

Tell me please how add quotes in $Allel ?

P.S.: i would like get next query:

DELETE FROM Table WHERE ID= '4' AND URL NOT IN('house', 'test', 'test test');

`addslashes()` is **not** a good way of escaping your database input. Use PDO or MySQLi if you're not doing so already — Bojangles, Jul 17 '14 at 08:23
Recommended reading: [How to prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php) — Álvaro González, Jul 17 '14 at 08:26
@Sadikhasan $Allel - is string, in result $allel = 'house, test, test test'; — , Jul 17 '14 at 08:29
so you are preparing a perfect query for sql injection attack?! — mohamnag, Jul 17 '14 at 08:30
I have seen many example codes that find their way into products, no wounder why sql injection is since years on the top 10 attacks list — mohamnag, Jul 17 '14 at 08:35

score 1 · Accepted Answer · answered Jul 17 '14 at 08:28

1

Try with this:

$sqlL = '';

foreach($arr as $el){
    $sqlL .= "INSERT INTO Table (ID, Seet, Column) VALUES ('4', '$Seet', '$el');";
}

$AllUrl = "'".implode("','",$arr)."'";
$sqlL .= "DELETE FROM Table WHERE ID= '4' AND URL NOT IN($AllUrl);";

answered Jul 17 '14 at 08:28

clami219

2,710
1
25
39

score 1 · Answer 2 · edited Jul 17 '14 at 08:35

1

There is only one answer to this... use prepared statements and don't build your own query using string functions and "handcraft" quotation marks and stuff. It is risky and the opposite of clean programing.

Anyways:

If $Allel contains pure values, use

$Allel = array_map(function($v) { return "'" . $v . "'"; }, $Allel);
$Allel = implode(', ', $Allel);

First line will wrap ' arround the values, second line will concat each with ,.

edited Jul 17 '14 at 08:35

ljacqu

1,982
1
13
21

answered Jul 17 '14 at 08:29

Daniel W.

26,503
9
78
128

This. This so much! Please look into prepared statements! – ljacqu Jul 17 '14 at 08:30
there is no "pure value" every data is dangerous! – mohamnag Jul 17 '14 at 08:36

score 1 · Answer 3 · edited Jul 17 '14 at 08:29

1

i think he wants something different , can you try it ?

implode("', '", $array);

and sql

$sqlL .= "DELETE FROM Table WHERE ID= '4' AND URL NOT IN('".$Allel."');";

edited Jul 17 '14 at 08:29

Darren

12,786
3
34
71

answered Jul 17 '14 at 08:29

ThomasP1988

3,201
2
24
30

score 1 · Answer 4 · answered Jul 17 '14 at 08:52

While using an array and implode is probably the best solution, the problem with your code is that you set up one variable with the quotes, then instead add a different variable to the SQL:-

$sqlL = '';
foreach($arr as $el)
{
    $AllUrl .= ",'".addslashes($el)."'";
    $sqlL .= "INSERT INTO Table (ID, Seet, Column) VALUES ('4', '$Seet', '$el');";
}

$AllUrl = substr($AllUrl, 1); //delete first comma
$sqlL .= "DELETE FROM Table WHERE ID= '4' AND URL NOT IN($AllUrl);";

To use implode, add the items to an array (ignoring the comma), then just implode that array with a separating comma in the final assignment into the DELETE statement:-

$sqlL = '';
foreach($arr as $el)
{
    $AllUrl[] = "'".addslashes($el)."'";
    $sqlL .= "INSERT INTO Table (ID, Seet, Column) VALUES ('4', '$Seet', '$el');";
}

$sqlL .= "DELETE FROM Table WHERE ID= '4' AND URL NOT IN(".implode(',', $AllUrl).");";

You should be escaping the string using mysql_real_escape_string or equivalent. Not sure which database drivers you are using so although the mysql_* drivers are deprecated they will do for an example:-

$sqlL = '';
foreach($arr as $el)
{
    $AllUrl[] = "'".mysql_real_escape_string($el)."'";
    $sqlL .= "INSERT INTO Table (ID, Seet, Column) VALUES ('4', '$Seet', '$el');";
}

$sqlL .= "DELETE FROM Table WHERE ID= '4' AND URL NOT IN(".implode(',', $AllUrl).");";

score 0 · Answer 5 · answered Jul 17 '14 at 08:25

0

You can use the PHP implode() function

<?php
implode(', ', $array);

PHP Documentation

answered Jul 17 '14 at 08:25

Fabien Papet

1,989
2
20
47

sorry, not need comma, need add quotes in `$Allel` that get `DELETE FROM Table WHERE ID= '4' AND URL NOT IN('house', 'test', 'test test');` – Jul 17 '14 at 08:28

score 0 · Answer 6 · answered Jul 17 '14 at 08:29

0

You can use implode function,

$array = array('lastname', 'email', 'phone');
$comma_separated = implode(",", $array);

See the example below

$array = array("1","2","3");
echo "Array is: ".implode(",",$array );

Array is: 1,2,3

answered Jul 17 '14 at 08:29

JSunny

477
2
7

score 0 · Answer 7 · answered Jul 17 '14 at 08:31

try this

$sqlL = '';
$Allel = '';

$arr_Allel = array();
foreach($arr as $el){
    $arr_Allel[] = ",'".addslashes($el)."'";
    $sqlL .= "INSERT INTO Table (ID, Seet, Column) VALUES ('4', '$Seet', '$el');";
}

$Allel = implode(",", $arr_Allel);

$sqlL .= "DELETE FROM Table WHERE ID= '4' AND URL NOT IN($Allel);";

JokiRuiz · Answer 8 · 2014-07-17T09:11:31.963

0

Try this:

<?php 

foreach($arr as $el){
    $AllUrl .= "'".addslashes($el)."' "; // Add items between spaces
}

$AllUrl_ = explode(" ",$AllUrl);
$AllUrlFinal = implode(",", $AllUrl_ ); // Change spaces by commas
$AllUrlFinal=trim($AllUrlFinal, ","); // would cut trailing and prefixing commas.
$sqlL .= "DELETE FROM Table WHERE ID= '4' AND URL NOT IN($AllUrlFinal);";

edited Jul 17 '14 at 09:11

answered Jul 17 '14 at 08:31

JokiRuiz

311
3
12

edited - `$AllUrlFinal=trim($AllUrlFinal, ","); // would cut trailing and prefixing commas.` – JokiRuiz Jul 17 '14 at 09:11

PHP How add quotes?

8 Answers8