thminco

Here is what i have moving the string from temp table to permanent table... $query="SELECT * FROM ttmmodeltemp WHERE `processed` = 'No' AND `verified` = 'Yes'"; $result=mysql_query($query) or die("Error: ". mysql_error(). " with query ". $query); $num=mysql_num_rows($result); $i=0; while ($i < $num) { $displayheight=mysql_result($result,$i,"Display height"); $sql="INSERT INTO ttmmodels (`Display height`) VALUES ('$displayheight')"; $i++; }

PFM if I manually put in the backslashes in the `ttmmodeltemp` table, then my code seamlessly moves 5\' 10\" into the permanent table and stores it correctly as 5' 10", ready to display later. Thus, I am trying to eliminate this manual correction and have the temp table string stored as 5\' 10\". I'm sure there is an easier way, but it's beyond me.

OK thanks...I will play with it some more, but what is the '%s' doing in the query?

PFM I am trying to get the backslashes into the table!

HHHHMMM that looks very similar to what I tried...I created the variable like this $displayheight = "5\\"."\'"." 10\\"."\""; The insert just puts it in as 5' 10"

OK..here is the part of the code I have where I am trying to take a string from an sql table that contains the single and double quote and put it into another table. How do I escape this variable ($displayheight) so it will work? $query="SELECT * FROM ttmmodeltemp WHERE `processed` = 'No' AND `verified` = 'Yes'"; $result=mysql_query($query) or die("Error: ". mysql_error(). " with query ". $query); $num=mysql_num_rows($result); $i=0; while ($i < $num) { $displayheight=mysql_result($result,$i,"Display height"); $sql="INSERT INTO ttmmodels (`Display height`) VALUES ('$displayheight')"; $i++; }

It's a long story...basically I'm a rookie and this is the easiest solution I can come up with

I am trying to take this string... 5' 10" And insert it into an sql table as this... 5\' 10\" when I create the following variable, it gets inserted into the sgl table without the backslashes. $displayheight = "5\' 10\""; I tried to figure this out using the php manual (It says use a double backslash for a "literal" backslash...whatever that is?)

I'm trying to take this input string from an html form.... 5' 10" 1) Put it into an sql table (this part is working) 2) Take it out of first sql table using a php script and put it into a different sql table (this part is not working) Here is what I have code wise... The html form creates the variable "height" and assigns an integer for the chosen height: <select name="height" id="height2" size="1"> <option value="70">5' 10"</option> The form processing script takes the variable integer and creates a variable for display as 5' 10" $height = $_POST['height']; IF ($height == "70") {$displayheight = "5\' 10\"";} The same script then "inserts" string into first table as 5' 10" When the second script tries to use the string, I get hung up because of the single and double quotes in the string. I'm using this in a while loop to extract the string from an array... $height=mysql_result($result,$i,"Height"); Do I need to "escape" the variable at this point? Or do I have to store it in the first table with backslashes escaping both the single and double quotes? OR? As always, any help is greatly appreciated!!

Did you mean as below? (I tried that) <input type="hidden" name="httpreferer" value="<?php echo $_SERVER['HTTP_REFERER']; ?>" />

Can someone please tell me what I am doing wrong here? For some reason, the variable doess not seem to be getting passed to the "action" php script this input is in my html form (action=post)... <input type="hidden" name="httpreferer" value="<?php echo $_SERVER['HTTP_REFERER'] ?>" /> this is in the action script... $httpreferer=$_POST['httpreferer']; echo $httpreferer;

I'm thinking of using md5 &/or sha1 and salt to store passwords into an sql database table. My question is..would it not be safer to store the salt "clear text" in another table and just leave a "key" so to speak in the table with the password. In other words, if a hacker gets into the password and key table by using sql injection, does he only have access to that table since he wouldn't even know the name of the other table unless he also was able to access the script code.

I am building a new site for my brother and was wondering what the users out here thought about the many options for password security in a MYSQL database. Is using md5 &/or sha1 with some scheme of salting enough? I am also curious about AES & BLOWFISH. How are these implemented? Also, are php code files on a server subject to the same security issues as an SQL database? (In other words, can hackers get at these files to view the code which might include schemes for salting?) Thanks to all, Newbie Tom Edit (KP): No need to shout

Very interesting Dan and it makes a lot of sense now. What about using both md5 and sha1 and salt and concatenating them all together? Would that be another layer of defense? Or maybe 2 password fields stored in the database, one with the md5 data and one with the sha1 data?

DAN!!!!!!!!!! You are truly the man! There was one blank line in the code before the opening php (<?php) statement in line 2. Once I deleted that first blank line...It worked just fine! Thank you so much for all your help, and BTW I will look into the other encrypting method you mentioned. I have only 2 passwords in the database (one of them encrypted/hashed) so now is a good time to start using whatever is the best encryption!! Thanks again SO MUCH to everyone who helped! I am sure my code is overall a LOT cleaner and better, but with plenty still to do!! Tom