homepage Welcome to WebmasterWorld Guest from 54.204.94.228
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
MySQL and Quotation marks
monolift




msg:1267780
 4:45 pm on Jul 23, 2002 (gmt 0)

I have a page on a client's website that is used to update comapany news.

There are a couple of PHP scripts to update or add news items. The problem is that any time there is a quotation mark in the text of the news item, MySQL interprets it as the end of the string and then ends up returning a syntax error.

Is there anyway to make MySQL ignore the quotation marks inside the query?

I know how to do this when I echo html, but it doesn't seem to work the same way for the MySQL query.

 

Brett_Tabke




msg:1267781
 4:47 pm on Jul 23, 2002 (gmt 0)

Ya, you have to escape all sql queries. Not being the php person around here, not sure how you do that with php.

monolift




msg:1267782
 4:50 pm on Jul 23, 2002 (gmt 0)

Would that be with magic quotes?

I've read a bit about these, but I'm not exactly sure how they work.

jatar_k




msg:1267783
 4:55 pm on Jul 23, 2002 (gmt 0)

if you just want to escape chars in a large string you can use addslashes() [php.net] and then when you output it you can use stripslashes() [php.net].

monolift




msg:1267784
 4:55 pm on Jul 23, 2002 (gmt 0)

Nevermind I found the answer.

If anyone else was wondering. The quotes are escaped with the addslashes function.

mavherick




msg:1267785
 4:56 pm on Jul 23, 2002 (gmt 0)

well you can use the following before you execute your insert:

$escaped_query = mysql_escape_string($query)
$result = mysql_query($escaped_query)

mavherick

abilstein




msg:1267786
 4:58 pm on Jul 23, 2002 (gmt 0)

A quick word on Magic Quotes. Although it can be very tempting to use, they can prove to be a nightmare on portability. I highly advise against it unless you have a particular reason that they are needed. Standardization is good - magic quotes are not standard. :) Stick with add/strip slashes.

toadhall




msg:1267787
 5:02 pm on Jul 23, 2002 (gmt 0)

You can test to see if magic quotes are on using get_magic_quotes_runtime (0 = off, 1 = on).

addslashes() and stripslashes() are the functions to use to escape double quotes et al.

see:
www.php.net/get_magic_quotes_runtime
www.php.net/addslashes
www.php.net/stripslashes

ggrot




msg:1267788
 6:14 pm on Jul 23, 2002 (gmt 0)

Another thing to note is that if you are taking any user variable and running a sql query with it, you will want to run addslashes first. Even if the input is done on a drop down box w/ two choices. Inputs to a script can always be changed by a malicious user. Imagine if your yes/no input got changed to the string '";DROP *;' where the double qoutes are actually part of the string. The ; would indicate the end of 1 mySql query and the beginning of the next one. While the first one may return invalid, the next one will delete the entire database (oh fun, huh?).

monolift




msg:1267789
 6:29 pm on Jul 23, 2002 (gmt 0)

Thanks for the heads up on that. I will definitely use addslashes from this point on.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved