Jump to content


Photo

PhP and '


  • Please log in to reply
4 replies to this topic

#1 Goatman

Goatman
  • New Members
  • Pip
  • Newbie
  • 3 posts

Posted 08 September 2006 - 01:45 AM

I am creating (or trying) a online database of goats info. The problem I have is that some of the animal names contain ' While name with the ' is displayed fine, when I try to insert the record into the table(mysql), the querry fails.  If I work directly with mysql, I can add a record with a ' as part of value for a field.

What am I missing?

Thanks
Dave

#2 Nhoj

Nhoj
  • Members
  • PipPipPip
  • Advanced Member
  • 223 posts
  • LocationClearwater, FL

Posted 08 September 2006 - 01:49 AM

Try editing your query to use STR_REPLACE to insert a backslash before the '

str_replace("'", "\'", $_POST['GOATINFO']);
Obviously change the $_POST value to the actual form value.

Edit, if that doesn't work, use

addslashes($_POST['GOATINFO']);

Avid PHP Developer, need some work done? Send a PM ;)

#3 SharkBait

SharkBait
  • Members
  • PipPipPip
  • Advanced Member
  • 845 posts
  • LocationMetro Vancouver, BC

Posted 08 September 2006 - 03:04 AM

Can use
mysql_escape_real_string()
or for those running older than PHP  4.3.*??
mysql_escape_string()

I've been switching to that instead of using str_replace() so that I can catch other odd escape characters in mysql queries.

#4 Goatman

Goatman
  • New Members
  • Pip
  • Newbie
  • 3 posts

Posted 09 September 2006 - 12:22 AM

Thanks for both of your suggestions. I will try them all and see how they work and learn. :D

#5 radalin

radalin
  • Members
  • PipPipPip
  • Advanced Member
  • 179 posts

Posted 09 September 2006 - 12:37 AM

Well try something like MDB2. Use it's escape,prepare and execute methods. It will do all the required changes for you. And you won't need to worry for injection attacks.

By the way do never use str_replace() function to protect your code from sql injection. As instead of putting an single quote they can also try to add it's unicode equivalent where the str_replace will miss (as I remember) but mysql wont. Also there are some other special characters for the sql syntax like # which mutes your code. To protect from them use mysql_real_escape_string or something like mysqli if you use php 5 or higher
Roy Simkes
Yet Another Parkyeri Developer




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users