I've manage to pass exception into ModelState by overriding MvcContrib.FluentController.AbsteactFluentController.ExecuteCheckValidCall(Func…

Question

0

Editorial Team

Asked: May 13, 20262026-05-13T20:02:06+00:00 2026-05-13T20:02:06+00:00

Is there a function in PHP that adds quotes to a string? like ‘.str.’

0

Is there a function in PHP that adds quotes to a string?

like "'".str."'"

This is for a sql query with varchars. I searched a little, without result…

I do the following:

$id = "NULL";
$company_name = $_POST['company_name'];         
$country = $_POST['country'];
$chat_language = $_POST['chat_language'];
$contact_firstname = $_POST['contact_firstname'];
$contact_lastname = $_POST['contact_lastname'];
$email = $_POST['email'];
$tel_fix = $_POST['tel_fix'];
$tel_mob = $_POST['tel_mob'];       
$address = $_POST['address'];       
$rating = $_POST['rating'];

$company_name = "'".mysql_real_escape_string(stripslashes($company_name))."'";
$country = "'".mysql_real_escape_string(stripslashes($country))."'";
$chat_language = "'".mysql_real_escape_string(stripslashes($chat_language))."'";
$contact_firstname = "'".mysql_real_escape_string(stripslashes($contact_firstname))."'";
$contact_lastname = "'".mysql_real_escape_string(stripslashes($contact_lastname))."'";
$email = "'".mysql_real_escape_string(stripslashes($email))."'";
$tel_fix = "'".mysql_real_escape_string(stripslashes($tel_fix))."'";
$tel_mob = "'".mysql_real_escape_string(stripslashes($tel_mob))."'";
$address = "'".mysql_real_escape_string(stripslashes($address))."'";
$rating = mysql_real_escape_string(stripslashes($rating));

$array = array($id, $company_name, $country, $chat_language, $contact_firstname, 
$contact_lastname, $email, $tel_fix, $tel_mob, $address, $rating);
$values = implode(", ", $array);

$query = "insert into COMPANIES values(".$values.");";

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-13T20:02:06+00:00

Firstly, I see you’re using stripslashes(). That implies you have magic quotes on. I would suggest turning that off.

What you might want to do is put some of this in a function:

function post($name, $string = true) {
  $ret = mysql_real_escape_string(stripslashes($_POST[$name]));
  return $string ? "'" . $ret . "'" : $ret;
}

and then:

$company_name = post('company_name');

All this does however is reduce the amount of boilerplate you have slightly.

Some have suggested using PDO or mysqli for this just so you can use prepared statements. While they can be useful it’s certainly not necessary. You’re escaping the fields so claims of vulnerability to SQL injection (at least in the case of this code) are misguided.

Lastly, I wouldn’t construct a query this way. For one thing it’s relying on columns in the companies table being of a particular type and order. It’s far better to be explicit about this. I usually do this:

$name = mysql_real_escape_string($_POST['name']);
// etc
$sql = <<<END
INSERT INTO companies
(name, country, chat_language)
VALUES
($name, $country, $language)
END;

That will sufficient for the task. You can of course investigate using either mysqli or PDO but it’s not necessary.

How to approach applying for a job at a company ...

What is a programmer’s life like?

How to handle personal stress caused by utterly incompetent and ...

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions