ShootingBlanks Posted February 9, 2009 Share Posted February 9, 2009 Hello. I'm getting this error if I enter anything with an apostrophe (in this case, entering "starbuck's"): Warning: mssql_query() [function.mssql-query]: message: Incorrect syntax near 's'. (severity 15) in D:\Inetpub\wwwroot\HatTrakker.anixter.com\admin\insertPrize.php on line 35 Warning: mssql_query() [function.mssql-query]: message: Unclosed quotation mark after the character string ''. (severity 15) in D:\Inetpub\wwwroot\HatTrakker.anixter.com\admin\insertPrize.php on line 35 The PHP code I'm using is: $prize_name = $_POST['prize_name']; The SQL query that is error'ing out is: $query_listPrizes = "SELECT PRIZE_ID FROM dbo.CNH_PRIZES WHERE PRIZE_NAME = '$prize_name' AND BUS_GRP = 'ECS'"; I've tried entering "starbuck\'s" instead of "starbuck's", and I get the same error. I've also tried changing my code to: $prize_name = str_replace("'", "'", $_POST['prize_name']); Also the same results. Any ideas??? Thanks! Quote Link to comment Share on other sites More sharing options...
printf Posted February 9, 2009 Share Posted February 9, 2009 use... mysql_real_escape_string(); $query_listPrizes = "SELECT PRIZE_ID FROM dbo.CNH_PRIZES WHERE PRIZE_NAME = '" . mysql_real_escape_string ( $prize_name ) . "' AND BUS_GRP = 'ECS'"; Sorry, mssql... addslashes(); Quote Link to comment Share on other sites More sharing options...
ShootingBlanks Posted February 9, 2009 Author Share Posted February 9, 2009 use... mysql_real_escape_string(); $query_listPrizes = "SELECT PRIZE_ID FROM dbo.CNH_PRIZES WHERE PRIZE_NAME = '" . mysql_real_escape_string ( $prize_name ) . "' AND BUS_GRP = 'ECS'"; Getting closer!... Is there a MSSQL equivalent to the mysql_real_escape_string because I'm using SQL (not MySQL), and now I get the following error: Fatal error: Call to undefined function mysql_real_escape_string() in D:\Inetpub\wwwroot\HatTrakker.anixter.com\admin\insertPrize.php on line 32 Quote Link to comment Share on other sites More sharing options...
printf Posted February 9, 2009 Share Posted February 9, 2009 MSSQL function mssqlEscape ( $string ) { if ( true === ( bool ) get_magic_quotes_gpc () ) { $string = stripslashes ( $string ); } if ( ! is_numeric ( $string ) ) { $string = str_replace ( "'", "''", $string ); } return $string; } // example usage... $prize_name = mssqlEscape ( $_POST['prize_name'] ); Quote Link to comment Share on other sites More sharing options...
ShootingBlanks Posted February 9, 2009 Author Share Posted February 9, 2009 MSSQL function mssqlEscape ( $string ) { if ( true === ( bool ) get_magic_quotes_gpc () ) { $string = stripslashes ( $string ); } if ( ! is_numeric ( $string ) ) { $string = str_replace ( "'", "''", $string ); } return $string; } // example usage... $prize_name = mssqlEscape ( $_POST['prize_name'] ); That doesn't cause any errors, but it does cause the apostrophe to turn into two apostrophes... So, if someone enters: starbuck's It will display as: starbuck''s Is there a solution to really make it display exactly how it's intended??? Quote Link to comment Share on other sites More sharing options...
printf Posted February 9, 2009 Share Posted February 9, 2009 You only use that function when you need to perform a query... (it needed because mssql uses that as it's escape sequence '' <= 2 apostrophe's escapes a single apostrophe's ) Such as... $query_listPrizes = "SELECT PRIZE_ID FROM dbo.CNH_PRIZES WHERE PRIZE_NAME = '" . mssqlEscape ( $prize_name ) . "' AND BUS_GRP = 'ECS'"; Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.