escaping quotes in a mysql insert statment

alanv

Hello, I'm having a problem with double quotes, @ symbols and # signs.
When a user submits a text field with those symboles for example, its cuts them off like so...

Expand|Select|Wrap|Line Numbers

INSERT INTO po_item SET po_id='5304', descrip='10@9', price='0.0000'

the descrip should have more text after it but a double quote is killing the rest of the input data.
descrip="10@9"x10/M' tt20y / donnick stock";

but as you can see the second set of quotes is killing it.

Currently i thought this was the solution but i guess i was wrong.

Expand|Select|Wrap|Line Numbers

 while(($key,$value)=each(%data)){

        $value=~ s/(["'])/\\$1/g;

        $query.=" $key='$value',";

i thought the $value line would escape those double quotes...anyone know what i should do

eWish

I would suggest something like so.

Expand|Select|Wrap|Line Numbers

 
my $insert =  $dbh->prepare('INSERT INTO table(coulumn1) Values(?)');

   $insert->execute($var1);

This will automatically escape any special characters in $var1. You can also use the quote function. Also, I believe that SET is used when updating a table not inserting new.

--Kevin

escaping quotes in a mysql insert statment

re: escaping quotes in a mysql insert statment

Similar Perl bytes

/bytes/development

/bytes/it

/bytes/about