WarKirby Posted December 31, 2009 Share Posted December 31, 2009 Having an issue with a php script, I've narrowed the problem down to the fact that my quotesmart function is somehow putting two ' at the start of a string. So I'm trying to add a little check in, so that it only adds ' quotes if the string doesn't already have them. How do I make this work though? Specifically, I'm running two if checks, to see whether the first and then the last character, are equal to ' and only adding it if not. But trying to check if ($value[0] != "'") just doesn't really work. It messes up the code and everything after that is treated as a string. so how can I do a comparison like this Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted December 31, 2009 Share Posted December 31, 2009 quotesmart function Perhaps if you told us why you were using a function to added quotes to the beginning of a sting and posted the code for that function, someone could see how to help. Quote Link to comment Share on other sites More sharing options...
oni-kun Posted December 31, 2009 Share Posted December 31, 2009 if (substr($value, 0, 1) == "'") { //Do nothing, or add param to function to skip quote } else { //Add quote to beginning } Do you mean something like this? But it would be helpful if you told us what the function was, and yeah, why it's adding them in the first place. Quote Link to comment Share on other sites More sharing options...
WarKirby Posted December 31, 2009 Author Share Posted December 31, 2009 The function puts single quotes around inputs and does some other stuff to prevent injection attacks. The snippet you've posted is what I'm trying to use. Syntax highlighting in notepad++ shows everything after that line being treated as a quoted string, though. Are you sure that will work ? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted December 31, 2009 Share Posted December 31, 2009 If you have quotes as part of the data, you must escape them before you surround the data in single-quotes that are part of the query syntax. Your function is not protecting against sql injection if you are not escaping the string data. Quote Link to comment Share on other sites More sharing options...
ChemicalBliss Posted December 31, 2009 Share Posted December 31, 2009 I don't see a reason for the quotesmart function, mysql_real_escape_string() should suffice for any data escaping. Then just put the quotes in manually for the SQL queries, will save on the amount of code you write (the quotes i garuntee wil take less space than entire functions, and its quicker). -CB- Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.