Ignore ' in Query

[Mko]

I have the following Query:

$query = "INSERT INTO characters SET psalt = '" .$salt. "'"; 

 

However, when the salt is generated, it may contain a ', thus stopping the Query.

I need to know how I could make it so the Query would be unaffected by the ' in the salt value.

 

Thanks!

[Psycho]

The same as you would for any data that may contain content that could foul the query: mysql_real_escape_string()

[Mko]

The same as you would for any data that may contain content that could foul the query: mysql_real_escape_string()

As a result, would the \ be inserted into the salt value in the database as well?

[scootstah]

Yes.

[Mko]

Yes.

Oh, that's problematic. Is there any way NOT to have it inserted into the Database (the /)?

[scootstah]

Use prepared statements.

 

Why exactly do you need quotes in your salt?

[samshel]

I might be wrong....but i am not sure if you escape a single quote, the slash will get stored in database.

It just tells MySQL to not consider the single quote as a syntax

but again i might be wrong..

 

mysql> INSERT INTO `temp` (last_name) values ('sam\'shel');

Query OK, 1 row affected (0.00 sec)

 

mysql> SELECT * FROM temp\G

*************************** 1. row ***************************

        last_name: sam'shel

[Mko]

Use prepared statements.

 

Why exactly do you need quotes in your salt?

Well, the salts are randomly generated, and on occasion, may contain a '.

Then, the salts are combined with the hash that's generated elsewhere to produce the password. This password is referenced with the user input to determine if it's a match.

[scootstah]

I might be wrong....but i am not sure if you escape a single quote, the slash will get stored in database.

It just tells MySQL to not consider the single quote as a syntax

but again i might be wrong..

 

mysql> INSERT INTO `temp` (last_name) values ('sam\'shel');

Query OK, 1 row affected (0.00 sec)

 

mysql> SELECT * FROM temp\G

*************************** 1. row ***************************

        last_name: sam'shel

 

Hmm, perhaps it does not then, I thought it did.

 

I've used only prepared statements for a long time. *shrug*

[Mko]

I might be wrong....but i am not sure if you escape a single quote, the slash will get stored in database.

It just tells MySQL to not consider the single quote as a syntax

but again i might be wrong..

 

mysql> INSERT INTO `temp` (last_name) values ('sam\'shel');

Query OK, 1 row affected (0.00 sec)

 

mysql> SELECT * FROM temp\G

*************************** 1. row ***************************

        last_name: sam'shel

 

Wohoo, it works!

Thanks a lot everyone, you've all been a tremendous help!

[Psycho]

The same as you would for any data that may contain content that could foul the query: mysql_real_escape_string()

As a result, would the \ be inserted into the salt value in the database as well?

 

Yes.

 

Fail

 

That's the whole point of mysql_real_escape_string() - it escapes characters so they will be interpreted as literal characters in the query and not control characters (e.g. quotes around a value)

 

Example:

$value = "foo'bar";
$sql_value = mysql_real_escape_string($value);

$query = "INSERT INTO `table` (`field`) VALUES ('$sql_value')";
echo $query; //Output: INSERT INTO `table` (`field`) VALUES ('foo\'bar')

If that query is run the actual value inserted into the database will be foo'bar, without the backslash. It's not really any different than escaping quotemarks that are included in a quoted string

echo "<input type=\"text\" name=\"email\" />";

 

[scootstah]

The same as you would for any data that may contain content that could foul the query: mysql_real_escape_string()

As a result, would the \ be inserted into the salt value in the database as well?

 

Yes.

 

Fail

 

Meh.

 

Like I said, it's been a long time since I've worked that way. I remember having to stripslashes data from a database at one point... must have been for some other reason.

[Psycho]

Like I said, it's been a long time since I've worked that way. I remember having to stripslashes data from a database at one point... must have been for some other reason.

 

Probably using mysql_real_escape_string() on inserted values that were first run through magic quotes.