I have a SQL query that goes like this: UPDATE User SET flag=’Y’ WHERE

Question

0

Asked: May 26, 20262026-05-26T19:11:57+00:00 2026-05-26T19:11:57+00:00

I have a SQL query that goes like this: UPDATE User SET flag=’Y’ WHERE

0

I have a SQL query that goes like this:

UPDATE User SET flag='Y' WHERE email=(SELECT email FROM Forum WHERE id='$id');

Because the email address can consist of single quotes and some special characters (s*a'{f`%$.=*+~&^#|g!/hd@[66.112.45.34] and vy.”(),:;<>[]”.VY.”vy\\ \@\”vy”.unal@str.exe.com are both valid email addresses), I am not sure whether it is necessary to do the subquery separately, escape the output, followed by using it in the main query.

What is your suggestion?

ADD NOTE: $id is a safe number.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-26T19:11:57+00:00

Editorial Team

2026-05-26T19:11:57+00:00Added an answer on May 26, 2026 at 7:11 pm

You don’t need to escape anything because there is a subquery, but of course you need to escape the id value to put it in the string.

If possible, you should use a parameterised query instead of concatenating the value into the string. Then you don’t have to escape anything.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a SQL query that goes like this: UPDATE User SET flag=’Y’ WHERE

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply