#42569 [Opn]: json_encode does not escape single quotes

Wed, 05 Sep 2007 12:07:00 -0700 

 ID:               42569
 User updated by:  prikid at gmail dot com
 Reported By:      prikid at gmail dot com
 Status:           Open
 Bug Type:         JSON related
 Operating System: FreeBSD 6
 PHP Version:      5.2.4
 New Comment:

$name = "Mike O'Brien";
$name = mysql_escape_string($name);
$email = "[EMAIL PROTECTED]";
$settings = array("name" => $name,"email" => $email);
$json = json_encode($settings);

var_dump($json);

---
output is:
string(49) "{"name":"Mike O\\'Brien","email":"[EMAIL PROTECTED]"}"

Double quoted and still generates error when trying to insert into
mysql db.


Previous Comments:
------------------------------------------------------------------------

[2007-09-05 18:41:47] bas at tobin dot nl

that's correct... JSON is just a way to serialize data to a string.

It's not the purpose of JSON to serialize data to be directly included
in a statement for a specific database. 

The way MySQL escape strings is not a "universal" method as for
instance MS SQL does it another way. 

If you wish to use JSON to store data in MySQL you should escape the
JSON string with the specific MySQL function to escape strings, see the

mysql_escape_string() and mysql_real_escape_string() functions

------------------------------------------------------------------------

[2007-09-05 18:22:12] prikid at gmail dot com

Description:
------------
When using json_encode() and trying to insert into mysql table field
with single quotes - single quote is not escaped and mysql produces
error.

Reproduce code:
---------------
$name = "Mike O'Brien";
$email = "[EMAIL PROTECTED]";
$settings = array("name"=> $name,"email" => $email);
$json = json_encode($settings);
$sql = "INSERT INTO `users` VALUES('".$json."')";
$result = mysql_query($sql) or die (mysql_error());

Expected result:
----------------
Successfull mysql insertion with escaped single quote.

Actual result:
--------------
You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near 'Brien


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=42569&edit=1

Reply via email to