How to properly escape a string via PHP and mysql -
can explain difference between using mysql_real_escape_string on string or wrapping `` around column.
for example "insert table (``column``) values ('$string')"
or
$escapestring = mysql_real_escape_string($string); "insert table (column) values ('$escapedstring')" what difference between these 2 , should use? thanks.
there's difference between backtick ` , single quote '.
the backtick intended escape table , field names may conflict mysql reserved words. if had field named date , query select date mytable i'd need escape use of date when mysql parses query, interpret use of date field rather datatype date.
the single quote ' intended literal values, in select * mytable somefield='somevalue'. if somevalue contains single quotes, need escaped prevent premature closing of quote literal.
Comments
Post a Comment