Jump to content


Photo

Escaping characters for an insert statement


  • Please log in to reply
1 reply to this topic

#1 Chips

Chips
  • Members
  • PipPipPip
  • Advanced Member
  • 68 posts

Posted 19 June 2006 - 09:58 AM

Hello, having some trouble with this one. Checked the php.net topics for anything, nothing can be found. tried using "addslashes()" but that doesn't seem to work either!

So can anyone give me any quick pointers on what characters need to be escaped, and if they know of any functions that do this (integrated in php) or whether i'll have to use a different function and tailor it or not.

Especially relevent to:

Preventing sql injection attacks on mssql database (dunno how, but guessing ensuring they can't insert sql statements into queries that are just supposed to insert data instead!).
Allowing users names like O'Donnel etc
Allowing users to put ! ? " - ' ; : etc inside comments sections that will be logged into a database table.

Unfort having massive trouble finding any information with regards to mssql, and plenty on mysql that just doesn't work (tried addslashes and nothing was entered when putting ' into a string of text!).

Many thanks if anyone can help out.

#2 Barand

Barand
  • Moderators
  • Sen . ( ile || sei )
  • 18,021 posts

Posted 01 July 2006 - 07:42 PM

To input names Like O'Donnel you need to change it to O''Donnel (2 single quotes) to insert it into the table, unlike MySql which requires \'.
If you are still using mysql_ functions, STOP! Use mysqli_ or PDO. The longer you leave it the more you will have to rewrite.

Donations gratefully received






moon.png

|baaGrid| easy data tables - and more
|baaChart| easy line, column and pie charts




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users