Sorry for the double question. I'm having a terrible time figuring out
how to escape apostrophes in my mySQL database. Perhaps they have to
be escaped in the PHP, using mysql_real_esca pe_string?
This is the code: http://www.gongfamily.net/code.txt
The page in question is: http://www.gongfamily.net/daevid.php
the entry being N'existe Pas. Information about the album should show
up on the left when the title is clicked on, but it doesn't happen
whenever there's an apostrophe. This is an escaping problem, I'm sure,
but the real problem is, I'm over my head!
The second problem is on the same page. You can click a table header
to sort the table, but when I click the 'Group' header, I get the
error:
"You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'Group ASC' at line 1"
But I'm lost as to what to do here. I've poured over the code, despite
not being very well-versed in PHP. Again, I'm over my head, and would
truly appreciate any help.
TIA
Ian
--
Was it not a comedy, a strange and stupid
matter, this repetition, this running around
in a fateful circle? (Hermann Hesse) http://www.bookstacks.org/ 14 4117
'Group' is an invalid name for a column! (mysql get confused with the
"GROUP BY" clause).
On 28 Jun 2005 12:32:57 -0700, "saint exupery"
<cr************ ***@gmail.com> wrote: 'Group' is an invalid name for a column! (mysql get confused with the "GROUP BY" clause).
LOL. Thank you so much. That would probably not have occurred to me in
a hundred years! :-)
Ian
--
Was it not a comedy, a strange and stupid
matter, this repetition, this running around
in a fateful circle? (Hermann Hesse) http://www.bookstacks.org/
Ian Rastall (id*******@gmai l.com) wrote:
: On 28 Jun 2005 12:32:57 -0700, "saint exupery"
: <cr************ ***@gmail.com> wrote:
: >'Group' is an invalid name for a column! (mysql get confused with the
: >"GROUP BY" clause).
: LOL. Thank you so much. That would probably not have occurred to me in
: a hundred years! :-)
Apparently mysql can escape keywords using `keyword`.
However, avoiding keywords is the best bet. (I like things like
the_group )
--
This space not for rent.
On 28 Jun 2005 12:54:41 -0800, yf***@vtn1.vict oria.tc.ca (Malcolm
Dew-Jones) wrote: However, avoiding keywords is the best bet. (I like things like the_group )
I just changed it to "Band". Same difference. :-) What I'm still
having trouble with, though, is figuring out how to escape my
apostrophes. It must just be one line of code in my HTML somewhere,
but I'm not sure where to put it.
The apostrophe problem only seems to happen with album names, since
those are the ones you click on. It takes whatever the name is, tries
to grab that from the db, and can't, because ... not sure, but I think
it's because the apostrophe is interpreted as a command of some sort.
Ian
--
Was it not a comedy, a strange and stupid
matter, this repetition, this running around
in a fateful circle? (Hermann Hesse) http://www.bookstacks.org/
Ian Rastall (id*******@gmai l.com) wrote:
: On 28 Jun 2005 12:54:41 -0800, yf***@vtn1.vict oria.tc.ca (Malcolm
: Dew-Jones) wrote:
: >However, avoiding keywords is the best bet. (I like things like
: >the_group )
: I just changed it to "Band". Same difference. :-) What I'm still
: having trouble with, though, is figuring out how to escape my
: apostrophes. It must just be one line of code in my HTML somewhere,
: but I'm not sure where to put it.
: The apostrophe problem only seems to happen with album names, since
: those are the ones you click on. It takes whatever the name is, tries
: to grab that from the db, and can't, because ... not sure, but I think
: it's because the apostrophe is interpreted as a command of some sort.
E.g.
$id = mysql_escape_st ring($_REQUEST[id]);
$sql = "select * from the_table where ID='$id'";
Always escape your values before stuffing them into the sql string, (not
just when you think you might need it).
--
This space not for rent.
On 28 Jun 2005 13:37:06 -0800, yf***@vtn1.vict oria.tc.ca (Malcolm
Dew-Jones) wrote: $id = mysql_escape_st ring($_REQUEST[id]);
$sql = "select * from the_table where ID='$id'";
Okay, I think I'm making progress. I changed:
<td><a href="<?php print
$_SERVER['PHP_SELF']."?album=".$row _rsDaevid['Album'];
?>">
to
<td><a href="<?php print
$_SERVER['PHP_SELF']."?album=".mysq l_escape_string ($row_rsDaevid['Album']);
?>">
which yields an escaped string in the final source code. The page
still doesn't work, though, meaning clicking on the album doesn't pop
up the info on the left. I think it's looking for "N\'existe Pas" in
the db and not finding it.
I looked up the PHP equivalent of "unescape", and found "urldecode" ,
which I tried to use at the point where it calls the album, at:
<h3><?php echo urldecode($row_ rsDaevid['Album']); ?></h3>
but it didn't help. Didn't throw an error, either, but didn't help.
:-)
Am I on the right track here? Thanks for any help. The code, again, is
at: http://www.gongfamily.net/code.txt
TIA
Ian
--
Was it not a comedy, a strange and stupid
matter, this repetition, this running around
in a fateful circle? (Hermann Hesse) http://www.bookstacks.org/
Malcolm Dew-Jones wrote: $id = mysql_escape_st ring($_REQUEST[id]);
$sql = "select * from the_table where ID='$id'";
Always escape your values before stuffing them into the sql string, (not just when you think you might need it).
You can also use urlencode($var) or htmlentities($v ar,ENT_QUOTES)
before inserting $var into your database.
Ken
Ken Robinson (ke******@rbnsn .com) wrote:
: Malcolm Dew-Jones wrote:
: > $id = mysql_escape_st ring($_REQUEST[id]);
: >
: > $sql = "select * from the_table where ID='$id'";
: >
: >
: > Always escape your values before stuffing them into the sql string, (not
: > just when you think you might need it).
: You can also use urlencode($var) or htmlentities($v ar,ENT_QUOTES)
: before inserting $var into your database.
You can, but you should still use mysql_escape_st ring on the result when
you embed it in an sql query being handled by mysql.
--
This space not for rent.
Malcolm Dew-Jones wrote: Ken Robinson (ke******@rbnsn .com) wrote: : You can also use urlencode($var) or htmlentities($v ar,ENT_QUOTES) : before inserting $var into your database.
You can, but you should still use mysql_escape_st ring on the result when you embed it in an sql query being handled by mysql.
You learn something new all the time. We you retrieve a string that
was stored this way, does MySQL unescape it or is there a function to
do it?
Ken This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Dave Moore |
last post by:
Hi All,
Can anybody point me to a FAQ or similar that describes what all this
stuff is about please?. I'm interfacing with a MySQL database if that's
relavent. I've read a couple of books which refer to stripslahes and
'escaping' but nothing really explains what these terms are and why these
are used. Why is 'escaping' (whatever that is) used?. What the hell is a
magic quote?. How is it different from a non-magic one?.
Regards,
Dave
|
by: bobbyballgame |
last post by:
I am having a problem calling Stored Procedures:
....
dim MyValue, MyOtherValue
MyValue = "Bobby's value"
MyOtherValue = Bobby's other value"
rs.Open "exec MyStoredProc """ & MyValue & """, """ & MyOtherValue & """",
Conn
|
by: Weston C |
last post by:
In the course of trying to build a simple clock, I've run into a problem
using the setInterval (and setTimeout) function.
http://weston.canncentral.org/misc/tkeep/tkeep.html
http://weston.canncentral.org/misc/tkeep/tkeep.jss
function fieldToClock(fieldId)
{
var field = document.getElementById(fieldId);
alert("Starting a clock in text field " + fieldId + "(" + field
|
by: 21novembre |
last post by:
Hi all,
I got a quite strange problem when I tried to setup a database backup
shell. I put it this way:
"bin/mysqldump --opt --user=xxx --password=xxx DB > DB.bak"
However, error 1045 came to me to say "Access denied for user
'xxx'@'localhost' (using password: YES) when trying to connect".
None the less, I'm absolutely full of confidence on my correct username
and password, simply because if I do it this way:
"bin/mysqldump --opt...
|
by: weston |
last post by:
So, I'm attempting to code an expanding tree menu, based off of
unordered lists containing unordered lists. I'm also trying to do it in
such a way that none of the javascript has to go inline with the
markup:
http://weston.canncentral.org/misc/webgallery/FMH/template.html
So far, so good. It seems to work in Gecko-based browsers rather well
(mouse-over "Online Services" to see it work).
| |
by: Geoff Caplan |
last post by:
Hi folks,
The thread on injection attacks was very instructive, but seemed to
run out of steam at an interesting point. Now you guys have kindly
educated me about the real nature of the issues, can I ask again
what effective escaping really means?
Are the standard escaping functions found in the PHP, Tcl etc APIs to
Postgres bombproof? Are there any encodings that might slip through
and be cast to malicious strings inside Postgres?...
|
by: =?Utf-8?B?Sm9obiBCYWlsZXk=?= |
last post by:
I have a ASP .Net page that allows moving around items on the page through
javascript. This page works fine in IE.
In FireFox however, I have found that if the page is using XHTML 1.0
Transitional as the doctype, you cannot set the style.left and style.top
properties of image or div tags. If you remove the doctype from the page it
works just fine, although I would rather not do this. You can work around
this by setting the cssText...
|
by: placid |
last post by:
Hi All,
I have these files; which are Merge Request (ClearCase) files that are
created by a Perl CGI script (being re-written in Python, as the HTML/
JavaScript have been mixed with Perl, maintainability is zero)
MergeType::::codefromlabel::::
BLname::::BUILDMODS::::
OldLname::::::::
BaseVersion::::6.9.1.24A::::
|
by: David Henderson |
last post by:
I know 'disable-output-escaping' has been discussed in the past, but I can't
put my finger on any of the threads to see if my current problem is
addressed. Sorry for re-asking the question if it has already been
answered...
I have an XML doc that I am transforming via XSLT and JavaScript in the
browser. This allows me to return unsorted data to the browser and allow
the user to sort it with a mouseclick and not hit the server just...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |