Hi All,
When a user enters an Apostrophe into a text area field on a form, i.e.
didn't, it mucks with odbc as follows
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in
query expression ''didn't',
Whats the best way to handle this, other than not entering the apostrophe.
I'm stuck with the current backend database as its part of an existing
application.
Any help gratefully appreciated, even with humour I may not understand!
Cheers
12  4132 
..oO(Johnny BeGood)
>When a user enters an Apostrophe into a text area field on a form, i.e.
didn't, it mucks with odbc as follows
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in
query expression ''didn't',
This not only breaks the query, but allows an attacker to inject
arbitrary malicious SQL commands. Not good.
>Whats the best way to handle this, other than not entering the apostrophe.
You _always_ have to make sure that the data entered into a DB can't do
any harm. To achieve that you have to
1) escape all chars that have a special meaning in SQL
or
2) use prepared statements
The second is the preferred, but whether it's available or not depends
on the used DB backend and the interface.
Micha
Hi Micha,
Thanks for the reply, can you give me some guidance on
2) use prepared statements
The second is the preferred, but whether it's available or not depends
on the used DB backend and the interface.
I have used
$stmt = odbc_prepare($odbc, "INSERT INTO Tasks (TaskType, Details)
VALUES('$tasktype','$taskdetails');" );
if (!odbc_execute( $stmt))
{
echo odbc_errormsg();
}
odbc_close();
But still come up with the same error, I am using an Access 2002 backend
database, only because I'm forced to.
Cheers
..oO(Johnny BeGood)
>Thanks for the reply, can you give me some guidance on
>2) use prepared statements
The second is the preferred, but whether it's available or not depends
on the used DB backend and the interface.
I have used
$stmt = odbc_prepare($odbc, "INSERT INTO Tasks (TaskType, Details)
VALUES('$tasktype','$taskdetails');" );
Maybe I should have said "parameterized statement". The purpose of such
statements is to use parameters/placeholders in the query string, which
are replaced with the current values _after_ the statement was prepared.
Your code should look like this (just splitted a bit for legibility):
// query string with 2 placeholders
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES (?, ?)';
// prepare the statement
$stmt = odbc_prepare($odbc, $query);
// pass all parameters in an array and execute the statement
if (!odbc_execute($stmt, array($tasktype, $taskdetails))) {
...
}
HTH
Micha
Hi Micha,
If I enter didn''t it works, if I enter didn't it comes back with the same
error as before
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in
query expression ''didn't',
This is what I have
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES ($tasktype,
$taskdetails)';
$stmt = odbc_prepare($odbc, $query);
if (!odbc_execute($stmt, array($tasktype, $taskdetails)))
{
echo odbc_errormsg();
}
Where am I going wrong (:
Cheers
"Michael Fesser" <ne*****@gmx.dewrote in message
news:62********************************@4ax.com...
// query string with 2 placeholders
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES (?, ?)'; - this
throws a field count error, silly me?
// prepare the statement
$stmt = odbc_prepare($odbc, $query);
// pass all parameters in an array and execute the statement
if (!odbc_execute($stmt, array($tasktype, $taskdetails))) {
...
}
HTH
Micha
Johnny BeGood wrote:
"Michael Fesser" <ne*****@gmx.dewrote in message
news:62********************************@4ax.com...
>// query string with 2 placeholders
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES (?, ?)'; - this
throws a field count error, silly me?
// prepare the statement
$stmt = odbc_prepare($odbc, $query);
// pass all parameters in an array and execute the statement
if (!odbc_execute($stmt, array($tasktype, $taskdetails))) {
...
}
HTH
Micha
Hi Micha,
If I enter didn''t it works, if I enter didn't it comes back with the
same error as before
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing
operator) in query expression ''didn't',
This is what I have
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES ($tasktype,
$taskdetails)';
$stmt = odbc_prepare($odbc, $query);
if (!odbc_execute($stmt, array($tasktype, $taskdetails)))
{
echo odbc_errormsg();
}
Where am I going wrong (:
Cheers
(Top posting fixed)
The single quote is defined by SQL as the separator (enclosing
character) for string values. The string you're trying to insert, by
the time it gets to SQL, would be:
'It didn't work'
Note the mismatched single quotes. Some languages, like C and PHP,
escape special characters like this with a backslash, i.e.
'It didn\'t work'.
SQL does it a little differently - you double the apostrophe, so it
comes out as:
'It didn''t work'
And this does work just fine.
P.S. Please don't top post. Thanks.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Hi Jerry,
Thanks for that, how do I get it that the user doesn't have to do anything
other that type in the word?
How can I escape special characters at data entry, the site users will be
typical users, they wont care!
Cheers
PS what is top posting? I've been slapped a few times for this, but don't
fully understand
"Jerry Stuckle" <js*******@attglobal.netwrote in message
news:Qr******************************@comcast.com. ..
Johnny BeGood wrote:
"Michael Fesser" <ne*****@gmx.dewrote in message
news:62********************************@4ax.com...
// query string with 2 placeholders
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES (?, ?)'; - this
throws a field count error, silly me?
// prepare the statement
$stmt = odbc_prepare($odbc, $query);
// pass all parameters in an array and execute the statement
if (!odbc_execute($stmt, array($tasktype, $taskdetails))) {
...
}
HTH
Micha
Hi Micha,
>
If I enter didn''t it works, if I enter didn't it comes back with the
same error as before
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing
operator) in query expression ''didn't',
>
This is what I have
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES ($tasktype,
$taskdetails)';
$stmt = odbc_prepare($odbc, $query);
if (!odbc_execute($stmt, array($tasktype, $taskdetails)))
{
echo odbc_errormsg();
}
>
Where am I going wrong (:
>
Cheers
>
(Top posting fixed)
The single quote is defined by SQL as the separator (enclosing
character) for string values. The string you're trying to insert, by
the time it gets to SQL, would be:
'It didn't work'
Note the mismatched single quotes. Some languages, like C and PHP,
escape special characters like this with a backslash, i.e.
'It didn\'t work'.
SQL does it a little differently - you double the apostrophe, so it
comes out as:
'It didn''t work'
And this does work just fine.
P.S. Please don't top post. Thanks.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
At Mon, 14 May 2007 07:31:26 +0100, Johny Begood let his monkeys type:
>
PS what is top posting? I've been slapped a few times for this, but don't
fully understand
Top posting is what you'd normally do when replying to an email: you
put your reply ABOVE the quoted message.
In usenet (newsgroups) it is a widely accepted standard to put your reply
BELOW the quoted text. This makes it easier for people to follow the
thread order. Whilst it isn't THAT big a deal for someone using a
newsreader to track back in the thread, others may be viewing the message
in a web browser, without the full thread. For them, a top-posted reply
has no meaning, so they'd have to scroll down first, read the previously
contributed bits and then scroll back up again.
Outlook/Outlook Express unfortunately defaults news-replies to be written
above the quoted text. This setting can easily be changed however.
It is also acceptable to break your reply in pieces, each part
immediately following *below* the part of the quoted text it relates to.
Another thing to keep in mind: only quote what's relevant to your reply.
Cut out the irrelevant bits to keep the message short and to the point.
(e.g.: You may have noticed I cut out the part of your question I am not
replying to)
If you're interested (one might argue every usenetter should be) look up
'usenet etiquette' or usenetiquette' for an elaboration on what (not) to
do using newsgroups.
Many people will 'fix' wrongly ordered replies and ask the person in
question (nicely) to quit top-posting in the future. Simply because many,
especially google-groups users, who often haven't even got a clue they are
in fact entering stuff in a newsgroups (Google has a way of making it all
look like 'their own'), aren't aware of that fact.
And then there are some that ask not so nicely. It's just like with real
people. A few will even PLONK the author altogether if he/she keeps
ignoring the hints. (Google: plonk)
HTH
Sh.
Johnny BeGood wrote:
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES ($tasktype,
$taskdetails)';
$stmt = odbc_prepare($odbc, $query);
if (!odbc_execute($stmt, array($tasktype, $taskdetails)))
{
echo odbc_errormsg();
}
As you've already been told, you are using prepared queries incorrectly.
Try:
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES (?, ?);';
$stmt = odbc_prepare($odbc, $query);
if (!odbc_execute($stmt, array($tasktype, $taskdetails)))
{
echo odbc_errormsg();
}
--
Toby A Inkster BSc (Hons) ARCS http://tobyinkster.co.uk/
Geek of ~ HTML/SQL/Perl/PHP/Python/Apache/Linux
"Johnny BeGood" <jb*@jbg.netwrote in message
news:U0*******************@news.indigo.ie...
Hi All,
When a user enters an Apostrophe into a text area field on a form, i.e.
didn't, it mucks with odbc as follows
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator)
in query expression ''didn't',
Whats the best way to handle this, other than not entering the apostrophe.
I'm stuck with the current backend database as its part of an existing
application.
Apostrophes are escaped by another apostrophe. Ie. 'didn't' should be
entered as 'didn''t'. At least this is how it works in MS SQL, and I'm
certain that Access has the same syntax.
-- Ra*********@gmail.com
"Good tea. Nice house." -- Worf
"Johny Begood" <jb*****@mickey.comwrote in message
news:Qo*******************@news.indigo.ie...
Hi Jerry,
Thanks for that, how do I get it that the user doesn't have to do anything
other that type in the word?
How can I escape special characters at data entry, the site users will be
typical users, they wont care!
str_replace("'","''",$user_input);
-- Ra*********@gmail.com
"Good tea. Nice house." -- Worf
Johny Begood wrote:
"Jerry Stuckle" <js*******@attglobal.netwrote in message
news:Qr******************************@comcast.com. ..
>Johnny BeGood wrote:
>>"Michael Fesser" <ne*****@gmx.dewrote in message
news:62********************************@4ax.com. ..
// query string with 2 placeholders
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES (?, ?)'; - this
throws a field count error, silly me?
// prepare the statement
$stmt = odbc_prepare($odbc, $query);
// pass all parameters in an array and execute the statement
if (!odbc_execute($stmt, array($tasktype, $taskdetails))) {
...
}
HTH
Micha
Hi Micha,
If I enter didn''t it works, if I enter didn't it comes back with the
same error as before
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing
operator) in query expression ''didn't',
This is what I have
$query = 'INSERT INTO Tasks (TaskType, Details) VALUES ($tasktype,
$taskdetails)';
$stmt = odbc_prepare($odbc, $query);
if (!odbc_execute($stmt, array($tasktype, $taskdetails)))
{
echo odbc_errormsg();
}
Where am I going wrong (:
Cheers
(Top posting fixed)
The single quote is defined by SQL as the separator (enclosing
character) for string values. The string you're trying to insert, by
the time it gets to SQL, would be:
'It didn't work'
Note the mismatched single quotes. Some languages, like C and PHP,
escape special characters like this with a backslash, i.e.
'It didn\'t work'.
SQL does it a little differently - you double the apostrophe, so it
comes out as:
'It didn''t work'
And this does work just fine.
P.S. Please don't top post. Thanks.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Hi Jerry,
Thanks for that, how do I get it that the user doesn't have to do
anything other that type in the word?
How can I escape special characters at data entry, the site users will
be typical users, they wont care!
Cheers
PS what is top posting? I've been slapped a few times for this, but
don't fully understand
(Top posting fixed)
As others have indicated, you can use prepared statements with
parameters, or you can modify the string just before you insert it into
the database, replacing "'" with "''".
And top posting is placing your response at the top of the message,
instead of the bottom (like this), or (as is usually the case with
longer messages), at appropriate places within the previous message.
A. Because it upsets the flow of the discussion.
Q. Why is it so bad?
A. Top posting.
Q. What is the most annoying thing on usenet?
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Rami Elomaa wrote:
Apostrophes are escaped by another apostrophe. Ie. 'didn't' should be
entered as 'didn''t'. At least this is how it works in MS SQL, and I'm
certain that Access has the same syntax.
Yep, that's the SQL standard method of escaping quotes. Some databases
also support backslashed escapes ('didn\'t') though that's non-standard,
so it's unwise to rely on such support.
--
Toby A Inkster BSc (Hons) ARCS http://tobyinkster.co.uk/
Geek of ~ HTML/SQL/Perl/PHP/Python/Apache/Linux This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: CViniciusM |
last post by:
Hello,
a) I have a .h (header file) that declares a struct:
....
typedef struct {
UINT4 state; /* state (ABCD) */
UINT4 count; /* number of bits, modulo 2^64 (lsb first) */
unsigned char...
|
by: pranab_bajpai |
last post by:
So I want to define a method that takes a "boolean" in a module, eg.
def getDBName(l2):
....
Now, in Python variables are bound to types when used, right?
Eg.
x = 10 # makes it an INT...
|
by: Not Available |
last post by:
On the host server:
namespace JCart.Common
public class JCartConfiguration : IConfigurationSectionHandler
private static String dbConnectionString;
public static String ConnectionString
{
get...
|
by: Severino |
last post by:
Hi all,
we have developed a .NET component for use inside Windows Forms: this
component has been written using VC++.NET (2003) and is working perfectly
when inserted inside VC#.NET or VB.NET...
|
by: Severino |
last post by:
Hi all,
we have developed a .NET component for use inside Windows Forms: this
component has been written using VC++.NET (2003) and is working perfectly
when inserted inside VC#.NET or VB.NET...
|
by: Lyle Fairfield |
last post by:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbaac11/html/acfctNZ_HV05186465.asp
"If the value of the variant argument is Null, the Nz function returns
the number zero or a...
|
by: sloan |
last post by:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;316495
Radio Buttons Are Not Mutually Exclusive When Used in a Repeater Server
Control
...
Has 2.0 fixed this bug ?
|
by: Ed Sutton |
last post by:
Can any one please offer any theories on how ManualResetEvent.WaitOne
can hang when used with a timeout?
When I notice my USB/Serial devices are no longer receiving
communications, I hit break...
|
by: Greg |
last post by:
this template won't compile when used with bool, the erorr is
"invalid initialization of non const reference"
template < typename T >
class Vec : public std::vector< T {
public:
Vec() { }...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
| |
