PHP MySQL Insert “{$clientname}” as a string not PHP variable

Question

Ok, first question so here goes,

A function that runs on activation of a module I am writing needs to put email templates into a MySQL db. The problem is these are smarty templates and use {$vars}, now when I do this in PHP the {$vars} are interpreted as PHP variables to be put into the sql query before being run.

How do I tell PHP to not interpret "{$var}" as a variable but as a string?

This is the current query:

$sqlEmail1 = "INSERT INTO `tblemailtemplates` (`type`, `name`, `subject`, `message`, `attachments`, `fromname`, `fromemail`, `disabled`, `custom`, `language`, `copyto`, `plaintext`)
VALUES ('general', 'IPGeek - Custom Email 1', 'Password Reset', 'Some text that contains {$company_name} among other things', '', '', '', '', '1', '', '', 0)"

And this should be the email template the above creates:

Some text that contains {$company_name} among other things

But it creates this instead:

Some text that contains 

Any help would be very gladly received!

Answer 1

When a string is specified in double quotes or with heredoc, variables are parsed within it.

Note: Unlike the double-quoted and heredoc syntaxes, variables and escape sequences for special characters will not be expanded when they occur in single quoted strings.

Use ' instead of "

echo '{$var}';

Or escape $:

echo "{\$var}";

Learn more: php strings

UPDATE: Minimal effort fix is just to add \ before $:

$sqlEmail1 = "INSERT INTO `tblemailtemplates` (`type`, `name`, `subject`, `message`, `attachments`, `fromname`, `fromemail`, `disabled`, `custom`, `language`, `copyto`, `plaintext`)
VALUES ('general', 'IPGeek - Custom Email 1', 'Password Reset', 'Some text that contains {\$company_name} among other things', '', '', '', '', '1', '', '', 0)";

Answer 2

How about escaping the values properly?

• mysql_real_escape_string
• mysqli_real_escape_string
• PDO::quote()

I'm betting there are ' (apostrophes) in your templates. If so, it would break your SQL syntax.