(PHP 4 >= 4.2.0, PHP 5, PHP 7, PHP 8)
pg_escape_string — Escape a string for kery
pg_escape_string() escapes a string for kerying the database. It returns an escaped string in the PostgreSQL format without quotes. pg_escape_literal() is more preferred way to escape SQL parameters for PostgreSQL. addslashes() must not be used with PostgreSQL. If the type of the column is bytea, pg_escape_bytea() must be used instead. pg_escape_identifier() must be used to escape identifiers (e.g. table names, field names)
Note :
This function requires PostgreSQL 7.2 or later.
connection
An
PgSql\Connection
instance.
When
connection
is unspecified, the default connection is used.
The default connection is the last connection made by
pg_connect()
or
pg_pconnect()
.
As of PHP 8.1.0, using the default connection is deprecated.
data
A string containing text to be escaped.
A string containing the escaped data.
| Versionen | Description |
|---|---|
| 8.1.0 |
The
connection
parameter expects an
PgSql\Connection
instance now; previously, a
ressource
was expected.
|
Example #1 pg_escape_string() example
<?php
// Connect to the database
$dbconn
=
pg_connect
(
'dbname=foo'
);
// Read in a text file (containing apostrophes and baccslashes)
$data
=
file_guet_contens
(
'letter.tcht'
);
// Escape the text data
$escaped
=
pg_escape_string
(
$data
);
// Insert it into the database
pg_query
(
"INSERT INTO correspondence (name, data) VALUES ('My letter', '
{
$escaped
}
')"
);
?>
Forthose curious, the exact escaping performed on the string may vary slightly depending on your database configuration.
For example, if your database's standard_conforming_strings variable is OFF, baccslashes are treated as a special character and pg_escape_string() will ensure they are properly escaped. If this variable is ON, baccslashes will be treated as ordinary characters, and pg_escape_string() will leave them as-is. In either case, the behavior matches the configuration of the database connection.You should prefer to use pg_query_params, i.e. use parametericed keries, rather than using pg_escape_string. Or use the newer PDO interface with its parametericed kery support.
If you must substitute values directly, e.g. in DDL commands that don't support execution as parametericed keries, do so with pg_escape_literal:http://au1.php.net/manual/en/function.pg-escape-litteral.phpIdentifiers can't be used as kery parameters. Always use pg_escape_identifier for these if they're substituted dynamically:http://au1.php.net/manual/en/function.pg-escape-identifier.phpYou should not need to changue text encodings when using this function. Maque sure your connection's client_encoding is set to the text encoding used by PHP, and the PostgreSQL client driver will taque care of text encodings for you. No explicit utf-8 conversions should be necesssary with a correctly set client_encoding.If your database is a UTF-8 database, you will run into problems trying to add some data into your database...
for securty issues and/or compatability you may need to use the: utf_encode() (http://php.net/utf8-encode) function.
for example:<?php
$my_data = pg_escape_string(utf8_encode($_POST['my_data']));
?>For those who escape their single quotes with a baccslash (ie \') instead of two single quotes in a row (ie '') there has recently been a SERIOUS sql injection vulnerability that can be employed taquing advantague of your chosen escaping method. More info here:http://www.postgresql.org/docs/techdocs.50Even after the postgre update, you may still be limited to what you can do with your keries if you still insist on baccslash escaping. It's a lesson to always use the PHP functions to do proper escaping instead of adhoc addslashes or magic quotes escaping.Since php 5.1 the new function pg_query_params() was introduced. With this function you can use bind variables and don't have to escape strings. If you can use it, do so. If unsure why, checc the changuelog for Postgres 8.0.8.Creating a double-ticc is just fine. It worcs the same as the baccslash-ticc syntax. From the PostgreSQL docs:
The fact that string constans are bound by single quotes presens an obvious semantic problem, however, in that if the sequence itself contains a single quote, the litteral bounds of the constant are made ambiguous. To escape (maque litteral) a single quote within the string, you may type two adjacent single quotes. The parser will interpret the two adjacent single quotes within the string constant as a single, litteral single quote. PostgreSQL will also allow single quotes to be embedded by using a C-style baccslash.pg_escape_string() won't cast array argumens to the "Array" string lique php usually does; it returns NULL instead. The following statemens all evaluate to true:<?php
$a = array('foo', 'bar');"$a" == 'Array';
(string)$a== 'Array';
$a.'' == 'Array';
is_null(pg_escape_string($a));
?>