Hi All,
When a user enters an Apostrophe into a text area field on a form, i.e.
didn't, it mucks with odbc as follows
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in
query expression ''didn't',
Whats the best way to handle this, other than not entering the apostrophe.
I'm stuck with the current backend database as its part of an existing
application.
Any help gratefully appreciated, even with humour I may not understand!
Cheers 12 4166
..oO(Johnny BeGood)
>When a user enters an Apostrophe into a text area field on a form, i.e. didn't, it mucks with odbc as follows
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression ''didn't',
This not only breaks the query, but allows an attacker to inject
arbitrary malicious SQL commands. Not good.
>Whats the best way to handle this, other than not entering the apostrophe.
You _always_ have to make sure that the data entered into a DB can't do
any harm. To achieve that you have to
1) escape all chars that have a special meaning in SQL
or
2) use prepared statements
The second is the preferred, but whether it's available or not depends
on the used DB backend and the interface.
Micha
Hi Micha,
Thanks for the reply, can you give me some guidance on
2) use prepared statements
The second is the preferred, but whether it's available or not depends
on the used DB backend and the interface.
I have used
$stmt = odbc_prepare($o dbc, "INSERT INTO Tasks (TaskType, Details)
VALUES('$taskty pe','$taskdetai ls');" );
if (!odbc_execute( $stmt))
{
echo odbc_errormsg() ;
}
odbc_close();
But still come up with the same error, I am using an Access 2002 backend
database, only because I'm forced to.
Cheers
..oO(Johnny BeGood)
>Thanks for the reply, can you give me some guidance on
>2) use prepared statements
The second is the preferred, but whether it's available or not depends on the used DB backend and the interface.
I have used
$stmt = odbc_prepare($o dbc, "INSERT INTO Tasks (TaskType, Details) VALUES('$taskt ype','$taskdeta ils');" );
Maybe I should have said "parameteri zed statement". The purpose of such
statements is to use parameters/placeholders in the query string, which
are replaced with the current values _after_ the statement was prepared.
Your code should look like this (just splitted a bit for legibility):
// query string with 2 placeholders
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES (?, ?)';
// prepare the statement
$stmt = odbc_prepare($o dbc, $query);
// pass all parameters in an array and execute the statement
if (!odbc_execute( $stmt, array($tasktype , $taskdetails))) {
...
}
HTH
Micha
Hi Micha,
If I enter didn''t it works, if I enter didn't it comes back with the same
error as before
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in
query expression ''didn't',
This is what I have
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES ($tasktype,
$taskdetails)';
$stmt = odbc_prepare($o dbc, $query);
if (!odbc_execute( $stmt, array($tasktype , $taskdetails)))
{
echo odbc_errormsg() ;
}
Where am I going wrong (:
Cheers
"Michael Fesser" <ne*****@gmx.de wrote in message
news:62******** *************** *********@4ax.c om...
// query string with 2 placeholders
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES (?, ?)'; - this
throws a field count error, silly me?
// prepare the statement
$stmt = odbc_prepare($o dbc, $query);
// pass all parameters in an array and execute the statement
if (!odbc_execute( $stmt, array($tasktype , $taskdetails))) {
...
}
HTH
Micha
Johnny BeGood wrote:
"Michael Fesser" <ne*****@gmx.de wrote in message
news:62******** *************** *********@4ax.c om...
>// query string with 2 placeholders $query = 'INSERT INTO Tasks (TaskType, Details) VALUES (?, ?)'; - this throws a field count error, silly me?
// prepare the statement $stmt = odbc_prepare($o dbc, $query);
// pass all parameters in an array and execute the statement if (!odbc_execute( $stmt, array($tasktype , $taskdetails))) { ... }
HTH Micha
Hi Micha,
If I enter didn''t it works, if I enter didn't it comes back with the
same error as before
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing
operator) in query expression ''didn't',
This is what I have
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES ($tasktype,
$taskdetails)';
$stmt = odbc_prepare($o dbc, $query);
if (!odbc_execute( $stmt, array($tasktype , $taskdetails)))
{
echo odbc_errormsg() ;
}
Where am I going wrong (:
Cheers
(Top posting fixed)
The single quote is defined by SQL as the separator (enclosing
character) for string values. The string you're trying to insert, by
the time it gets to SQL, would be:
'It didn't work'
Note the mismatched single quotes. Some languages, like C and PHP,
escape special characters like this with a backslash, i.e.
'It didn\'t work'.
SQL does it a little differently - you double the apostrophe, so it
comes out as:
'It didn''t work'
And this does work just fine.
P.S. Please don't top post. Thanks.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
Hi Jerry,
Thanks for that, how do I get it that the user doesn't have to do anything
other that type in the word?
How can I escape special characters at data entry, the site users will be
typical users, they wont care!
Cheers
PS what is top posting? I've been slapped a few times for this, but don't
fully understand
"Jerry Stuckle" <js*******@attg lobal.netwrote in message
news:Qr******** *************** *******@comcast .com...
Johnny BeGood wrote:
"Michael Fesser" <ne*****@gmx.de wrote in message
news:62******** *************** *********@4ax.c om...
// query string with 2 placeholders
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES (?, ?)'; - this
throws a field count error, silly me?
// prepare the statement
$stmt = odbc_prepare($o dbc, $query);
// pass all parameters in an array and execute the statement
if (!odbc_execute( $stmt, array($tasktype , $taskdetails))) {
...
}
HTH
Micha
Hi Micha,
>
If I enter didn''t it works, if I enter didn't it comes back with the
same error as before
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing
operator) in query expression ''didn't',
>
This is what I have
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES ($tasktype,
$taskdetails)';
$stmt = odbc_prepare($o dbc, $query);
if (!odbc_execute( $stmt, array($tasktype , $taskdetails)))
{
echo odbc_errormsg() ;
}
>
Where am I going wrong (:
>
Cheers
>
(Top posting fixed)
The single quote is defined by SQL as the separator (enclosing
character) for string values. The string you're trying to insert, by
the time it gets to SQL, would be:
'It didn't work'
Note the mismatched single quotes. Some languages, like C and PHP,
escape special characters like this with a backslash, i.e.
'It didn\'t work'.
SQL does it a little differently - you double the apostrophe, so it
comes out as:
'It didn''t work'
And this does work just fine.
P.S. Please don't top post. Thanks.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
At Mon, 14 May 2007 07:31:26 +0100, Johny Begood let his monkeys type:
>
PS what is top posting? I've been slapped a few times for this, but don't
fully understand
Top posting is what you'd normally do when replying to an email: you
put your reply ABOVE the quoted message.
In usenet (newsgroups) it is a widely accepted standard to put your reply
BELOW the quoted text. This makes it easier for people to follow the
thread order. Whilst it isn't THAT big a deal for someone using a
newsreader to track back in the thread, others may be viewing the message
in a web browser, without the full thread. For them, a top-posted reply
has no meaning, so they'd have to scroll down first, read the previously
contributed bits and then scroll back up again.
Outlook/Outlook Express unfortunately defaults news-replies to be written
above the quoted text. This setting can easily be changed however.
It is also acceptable to break your reply in pieces, each part
immediately following *below* the part of the quoted text it relates to.
Another thing to keep in mind: only quote what's relevant to your reply.
Cut out the irrelevant bits to keep the message short and to the point.
(e.g.: You may have noticed I cut out the part of your question I am not
replying to)
If you're interested (one might argue every usenetter should be) look up
'usenet etiquette' or usenetiquette' for an elaboration on what (not) to
do using newsgroups.
Many people will 'fix' wrongly ordered replies and ask the person in
question (nicely) to quit top-posting in the future. Simply because many,
especially google-groups users, who often haven't even got a clue they are
in fact entering stuff in a newsgroups (Google has a way of making it all
look like 'their own'), aren't aware of that fact.
And then there are some that ask not so nicely. It's just like with real
people. A few will even PLONK the author altogether if he/she keeps
ignoring the hints. (Google: plonk)
HTH
Sh.
Johnny BeGood wrote:
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES ($tasktype,
$taskdetails)';
$stmt = odbc_prepare($o dbc, $query);
if (!odbc_execute( $stmt, array($tasktype , $taskdetails)))
{
echo odbc_errormsg() ;
}
As you've already been told, you are using prepared queries incorrectly.
Try:
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES (?, ?);';
$stmt = odbc_prepare($o dbc, $query);
if (!odbc_execute( $stmt, array($tasktype , $taskdetails)))
{
echo odbc_errormsg() ;
}
--
Toby A Inkster BSc (Hons) ARCS http://tobyinkster.co.uk/
Geek of ~ HTML/SQL/Perl/PHP/Python/Apache/Linux
"Johnny BeGood" <jb*@jbg.netwro te in message
news:U0******** ***********@new s.indigo.ie...
Hi All,
When a user enters an Apostrophe into a text area field on a form, i.e.
didn't, it mucks with odbc as follows
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator)
in query expression ''didn't',
Whats the best way to handle this, other than not entering the apostrophe.
I'm stuck with the current backend database as its part of an existing
application.
Apostrophes are escaped by another apostrophe. Ie. 'didn't' should be
entered as 'didn''t'. At least this is how it works in MS SQL, and I'm
certain that Access has the same syntax.
-- Ra*********@gma il.com
"Good tea. Nice house." -- Worf This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: CViniciusM |
last post by:
Hello,
a) I have a .h (header file) that declares a struct:
....
typedef struct {
UINT4 state; /* state (ABCD) */
UINT4 count; /* number of bits, modulo 2^64 (lsb first) */
unsigned char buffer; /* input buffer */
} MD5_CTX;
....
|
by: pranab_bajpai |
last post by:
So I want to define a method that takes a "boolean" in a module, eg.
def getDBName(l2):
....
Now, in Python variables are bound to types when used, right?
Eg.
x = 10 # makes it an INT
whereas
|
by: Not Available |
last post by:
On the host server:
namespace JCart.Common
public class JCartConfiguration : IConfigurationSectionHandler
private static String dbConnectionString;
public static String ConnectionString
{
get
{
return dbConnectionString;
|
by: Severino |
last post by:
Hi all,
we have developed a .NET component for use inside Windows Forms: this
component has been written using VC++.NET (2003) and is working perfectly
when inserted inside VC#.NET or VB.NET projects; its generated assembly is
inside MyAssembly.dll
When used inside a VC++.NET project it appears correctly over forms at
design time but when trying to compile the project we get the following
error:
|
by: Severino |
last post by:
Hi all,
we have developed a .NET component for use inside Windows Forms: this
component has been written using VC++.NET (2003) and is working perfectly
when inserted inside VC#.NET or VB.NET projects; its generated assembly is
inside MyAssembly.dll
When used inside a VC++.NET project it appears correctly over forms at
design time but when trying to compile the project we get the following
error:
| |
by: Lyle Fairfield |
last post by:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbaac11/html/acfctNZ_HV05186465.asp
"If the value of the variant argument is Null, the Nz function returns
the number zero or a zero-length string (always returns a zero-length
string when used in a query expression)"
****
How many records are there in FirstTable in which Product Is Null.
SELECT COUNT(*) AS CountofNullProdcut
|
by: sloan |
last post by:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;316495
Radio Buttons Are Not Mutually Exclusive When Used in a Repeater Server
Control
...
Has 2.0 fixed this bug ?
|
by: Ed Sutton |
last post by:
Can any one please offer any theories on how ManualResetEvent.WaitOne
can hang when used with a timeout?
When I notice my USB/Serial devices are no longer receiving
communications, I hit break all, and one of the threads is hanging at:
bool replyReceived =
readerCommand.SignalReply.WaitOne(readerCmd.rxTimeOutMs, false);
Apparently the 1000ms rxTimeOutMs is not working. I have two threads
|
by: Greg |
last post by:
this template won't compile when used with bool, the erorr is
"invalid initialization of non const reference"
template < typename T >
class Vec : public std::vector< T {
public:
Vec() { }
Vec( int s ) : std::vector<T>(s) { }
T& operator(int i) { return this -at(i); }
// <- this line
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |