Home/ Questions/Q 7812539
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T04:32:28+00:00

I have this piece of code in PHP and using a PostgreSQL as the

  • 0

I have this piece of code in PHP and using a PostgreSQL as the database. I am getting all the parameters from the GET. Have checked them by printing it. The formed query executes on a Postgres terminal but fails from the PHP script.

Here is the piece of code.

<?php

$link = pg_connect("host=localhost dbname=postgres user=postgres password=password") or die('connection failed');

# Building the query
$newq=sprintf("update purchase_info set ....... comments=%s where id=%s",......,$comm,$id);

    print $newq; // This query runs on the postgres terminal
    $query=addslashes($newq); // to escape "" as one of my fields is comments
    $result=pg_query($link,$newq);

    if (!$result) {
        echo "An error occured.\n";
    }
    pg_close($link);
?>

Other queries run in the same script. This SQL statement has about 14 field being updated.

What Is going wrong hear.
Appreciate the help!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You shouldn’t be using addslashes to quote strings for PostgreSQL, you should use pg_escape_literal:

    pg_escape_literal() escapes a literal for querying the PostgreSQL database. It returns an escaped literal in the PostgreSQL format. pg_escape_literal() adds quotes before and after data. Use of this function is recommended instead of pg_escape_string().

    You should never use addslashes for quoting strings for a database:

    It’s highly recommended to use DBMS specific escape function (e.g. mysqli_real_escape_string() for MySQL or pg_escape_string() for PostgreSQL)

    You should be doing this:

    $newq = sprintf("update purchase_info set ... comments=%s where id=%d", ..., pg_escape_literal($comm), $id);

    I’m assuming that id is actually a number as well.

    • 0