0

The following code is correct:

$str = "INSERT INTO table ('".$val1."',"."'".$val2."'".","."'".$val3."'".","."'".$val4."')";

but the code below is incorrect:

$str = "INSERT INTO table ('".$val1."',"."'".$val2."'".","."".$val3."'".","."'".$val4."')";

The above example is small but you can see that larger cases of the above are annoying to debug when one misses out a ' or a ". Is there a better way of concatenating strings in PHP? I want to have variables having single inverted commas on bother sides and I want the string to be made using double inverted commas.

There must be a better way.. I write a lot of queries from PHP that talk to an Oracle DB and I am constantly making mistakes with these strings!!

Thank you :).

Improve this question
4
  • 2
    Step 1: Use PDO, prepared statements, and placeholders. Step 2: .... Step 3: Profit. Commented Sep 14, 2011 at 6:16
  • @mu is too short: pdo oracle driver is not recommended for production, unfortunately Commented Sep 14, 2011 at 6:17
  • @mu is too short: he meant that ... should be ??? Commented Sep 14, 2011 at 6:22
  • @zerkms: Right, too late to edit. Shame about the Oracle driver. Commented Sep 14, 2011 at 6:23

6 Answers 6

Reset to default
5 
$str = sprintf("INSERT INTO table ('%s', '%s', ...", $val1, $val2);

or use prepared statements

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Excellent.. that will save me a huge amount of time!
Looks very clean, but I think you should wrap $val1 and $val2 with mysql_real_escape_string() as other noticed here.
@Sergiy: it is oracle, not mysql. And I did notice that prepareds are preferred
3

You can try this

$str = "INSERT INTO table ('$val1','$val2','$val3')";
Improve this answer

1 Comment

Awesome.. I didn't know you could do that (duh :P). Best solution so far +1.
2

Use prepared statements for that: https://www.php.net/manual/en/pdo.prepared-statements.php

Never just concatenate arbitrary values to create a SQL statement. You will create millions of SQL injection holes in you application. http://xkcd.com/327/

At the very least, use mysql_real_escape_string or equivalent.

I recommend you do some reading about security and application design before writing any PHP application of consequence.

Improve this answer

3 Comments

Really valuable advice +1. See comments above about PDO Oracle driver though. Loving the XKCD .
With mysql_real_escape_string(), even though I am using an Oracle DB, I think it would ensure my queries are safe even though it's intended for MySQL right? Can't seem to find any Oracle equivalent.
@alemaster: for oracle the better approach is to use prepared statements with oci_parse()
0

How about

echo implode(",", array(
   '"'.$val1.'"',
   '"'.$val2.'"',
   '"'.$val3.'"',
));

But I must say that you can do it much easier with prepared statements.

Improve this answer

1 Comment

I like it but I think I would make the same number of mistakes with this :P.
0

create your own function with http://php.net/manual/en/function.func-get-args.php and foreach, and use sql escapeing for each params. see the example1 on page

Improve this answer

Comments

0

When dealing with large param sets I prefer to put them into an array and join with implode() function.implode like in code below:

$params = array('param1','param2','param3');
$param_string = "('".implode("','", $params)."')";
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.