I just found out that an app I wrote doesn't allow the user to input
apostrophes into the textarea. If they do, the insert/update fails.
I'm sure this issue has been done to death - but it's the first time
it's come up for me.
What I'm doing is something like this:
function UpdateRecord($iID, $sContent) {
$sSQL = "UPDATE MyTable SET content='$sContent' where id=$iID";
$bSuccess = RunSQL($sSQL);
return $bSuccess;
}
Is there a simple escape command, or am I going to have to get all into
writing some complex handler for apostrophes and whatnot.
Note: In this example, I'm *totally* ignoring the threat from SQL
injection. I just don't want apostrophes to crash the update/create.
19  1454 
Sanders Kaufman wrote:
I just found out that an app I wrote doesn't allow the user to input
apostrophes into the textarea. If they do, the insert/update fails.
I'm sure this issue has been done to death - but it's the first time
it's come up for me.
What I'm doing is something like this:
function UpdateRecord($iID, $sContent) {
$sSQL = "UPDATE MyTable SET content='$sContent' where id=$iID";
$bSuccess = RunSQL($sSQL);
return $bSuccess;
}
Is there a simple escape command, or am I going to have to get all into
writing some complex handler for apostrophes and whatnot.
Yes.
Note: In this example, I'm *totally* ignoring the threat from SQL
injection. I just don't want apostrophes to crash the update/create.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
On Aug 9, 6:42 am, Sanders Kaufman <bu...@kaufman.netwrote:
I just found out that an app I wrote doesn't allow the user to input
apostrophes into the textarea. If they do, the insert/update fails.
I'm sure this issue has been done to death - but it's the first time
it's come up for me.
What I'm doing is something like this:
function UpdateRecord($iID, $sContent) {
$sSQL = "UPDATE MyTable SET content='$sContent' where id=$iID";
$bSuccess = RunSQL($sSQL);
return $bSuccess;
}
Is there a simple escape command, or am I going to have to get all into
writing some complex handler for apostrophes and whatnot.
Yes. But you haven't said which database you're using. If you're
using MySQL you want mysql_real_escape_string().
>
Note: In this example, I'm *totally* ignoring the threat from SQL
injection. I just don't want apostrophes to crash the update/create.
Using mysql_real_escape_string() will protect you from that, too.
Please use addslashes php function to the string and then try
On 09.08.2007 12:42 Sanders Kaufman wrote:
I just found out that an app I wrote doesn't allow the user to input
apostrophes into the textarea. If they do, the insert/update fails.
I'm sure this issue has been done to death - but it's the first time
it's come up for me.
What I'm doing is something like this:
function UpdateRecord($iID, $sContent) {
$sContent = addslashes($sContent);
$sSQL = "UPDATE MyTable SET content='$sContent' where id=$iID";
$bSuccess = RunSQL($sSQL);
return $bSuccess;
}
Is there a simple escape command
Yes, see above
>, or am I going to have to get all into
writing some complex handler for apostrophes and whatnot.
For the real-world applications you have to use a complex handler, but
there's no need to write it, just use an existing library like PDO,
mysqli etc.
>
Note: In this example, I'm *totally* ignoring the threat from SQL
injection. I just don't want apostrophes to crash the update/create.
--
gosha bine
makrell ~ http://www.tagarga.com/blok/makrell
php done right ;) http://code.google.com/p/pihipi al**********@gmail.com wrote:
Please use addslashes php function to the string and then try
addslashes() is not the correct function to use.
mysql_real_escape_string() is.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
gosha bine wrote:
On 09.08.2007 12:42 Sanders Kaufman wrote:
>I just found out that an app I wrote doesn't allow the user to input
apostrophes into the textarea. If they do, the insert/update fails.
I'm sure this issue has been done to death - but it's the first time
it's come up for me.
What I'm doing is something like this:
function UpdateRecord($iID, $sContent) {
$sContent = addslashes($sContent);
mysql_real_escape_string() is much better for this.
> $sSQL = "UPDATE MyTable SET content='$sContent' where id=$iID";
$bSuccess = RunSQL($sSQL);
return $bSuccess;
}
Is there a simple escape command
Yes, see above
>, or am I going to have to get all into writing some complex handler
for apostrophes and whatnot.
For the real-world applications you have to use a complex handler, but
there's no need to write it, just use an existing library like PDO,
mysqli etc.
>>
Note: In this example, I'm *totally* ignoring the threat from SQL
injection. I just don't want apostrophes to crash the update/create.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
ZeldorBlat wrote:
On Aug 9, 6:42 am, Sanders Kaufman <bu...@kaufman.netwrote:
>I just found out that an app I wrote doesn't allow the user to input
apostrophes into the textarea. If they do, the insert/update fails.
I'm sure this issue has been done to death - but it's the first time
it's come up for me.
What I'm doing is something like this:
function UpdateRecord($iID, $sContent) {
$sSQL = "UPDATE MyTable SET content='$sContent' where id=$iID";
$bSuccess = RunSQL($sSQL);
return $bSuccess;
}
Is there a simple escape command, or am I going to have to get all into
writing some complex handler for apostrophes and whatnot.
Yes. But you haven't said which database you're using. If you're
using MySQL you want mysql_real_escape_string().
Thanks - I'll look into that and addslashes.
BTW - did you notice the subject line of this post? :)
ZeldorBlat wrote:
But you haven't said which database you're using.
See subject line.
--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.12-12mdksmp, up 50 days, 54 min.]
Command Line Interfaces, Again http://tobyinkster.co.uk/blog/2007/0...nd-line-again/
Sanders Kaufman wrote:
ZeldorBlat wrote:
>Yes. But you haven't said which database you're using. If you're
using MySQL you want mysql_real_escape_string().
It's interesting that this function is not fully a part of PHP, but
rather relies on some libraries in MySQL.
Seems to me, if I was the PHP guys, I wouldn't have made it so. Must be
a liability risk-avoidance thing.
I guess that's just one more reason why PHP5's features are what I wanna
go to as quick as possible.
Sanders Kaufman wrote:
Sanders Kaufman wrote:
>ZeldorBlat wrote:
>>Yes. But you haven't said which database you're using. If you're
using MySQL you want mysql_real_escape_string().
It's interesting that this function is not fully a part of PHP, but
rather relies on some libraries in MySQL.
Seems to me, if I was the PHP guys, I wouldn't have made it so. Must be
a liability risk-avoidance thing.
I guess that's just one more reason why PHP5's features are what I wanna
go to as quick as possible.
That's because it's a wrapper to the same function in MySQL. Why
duplicate effort - especially since you don't have all the information
available, anyway?
Maybe you want mysql_connect() and mysql_query() to be pure PHP
functions also?
The same is true in PHP5.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
..oO(Sanders Kaufman)
>ZeldorBlat wrote:
>>Yes. But you haven't said which database you're using. If you're
using MySQL you want mysql_real_escape_string().
It's interesting that this function is not fully a part of PHP, but
rather relies on some libraries in MySQL.
You would be surprised how many of PHP's functions are just wrappers
around external libraries. I would say that's the case for >90% of it.
>Seems to me, if I was the PHP guys, I wouldn't have made it so.
You would have rewritten all the functions of the MySQL library in PHP?
Think about it ...
Micha
Jerry Stuckle wrote:
Sanders Kaufman wrote:
>It's interesting that this function is not fully a part of PHP, but
rather relies on some libraries in MySQL.
Seems to me, if I was the PHP guys, I wouldn't have made it so. Must
be a liability risk-avoidance thing.
I guess that's just one more reason why PHP5's features are what I
wanna go to as quick as possible.
That's because it's a wrapper to the same function in MySQL. Why
duplicate effort - especially since you don't have all the information
available, anyway?
Gosh Jerry, you promised to ignore my posts; to not respond to any more
of them.
I'd appreciate it very much if you'd stick to your word of honor on this.
If you have something to offer - go ahead. But if you're just trolling
for a fight - this ain't the place for it.
Michael Fesser wrote:
You would be surprised how many of PHP's functions are just wrappers
around external libraries. I would say that's the case for >90% of it.
I *am* surprised.
>Seems to me, if I was the PHP guys, I wouldn't have made it so.
You would have rewritten all the functions of the MySQL library in PHP?
Think about it ...
No - not all. Didn't say that; didn't imply it.
I just thought that the subset of MySQL-related features were entirely
within the PHP binaries.
I guess I now know why PHP with MySQL support has to be compiled to
include the MySQL libraries.
Personally - I'm a recovering Microsoftie, so this whole thing about
compiling and recompiling other people's applications, with other other
people's applications still totally blows me away.
Sanders Kaufman wrote:
Jerry Stuckle wrote:
>Sanders Kaufman wrote:
>>It's interesting that this function is not fully a part of PHP, but
rather relies on some libraries in MySQL.
Seems to me, if I was the PHP guys, I wouldn't have made it so. Must
be a liability risk-avoidance thing.
I guess that's just one more reason why PHP5's features are what I
wanna go to as quick as possible.
That's because it's a wrapper to the same function in MySQL. Why
duplicate effort - especially since you don't have all the information
available, anyway?
Gosh Jerry, you promised to ignore my posts; to not respond to any more
of them.
I'd appreciate it very much if you'd stick to your word of honor on this.
If you have something to offer - go ahead. But if you're just trolling
for a fight - this ain't the place for it.
No, just pointing out that this was one of the stupidest questions I've
seen in this newsgroup in a long time.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Sanders Kaufman wrote:
Michael Fesser wrote:
>You would be surprised how many of PHP's functions are just wrappers
around external libraries. I would say that's the case for >90% of it.
I *am* surprised.
>>Seems to me, if I was the PHP guys, I wouldn't have made it so.
You would have rewritten all the functions of the MySQL library in PHP?
Think about it ...
No - not all. Didn't say that; didn't imply it.
I just thought that the subset of MySQL-related features were entirely
within the PHP binaries.
I guess I now know why PHP with MySQL support has to be compiled to
include the MySQL libraries.
Personally - I'm a recovering Microsoftie, so this whole thing about
compiling and recompiling other people's applications, with other other
people's applications still totally blows me away.
PHP doesn't recompile MySQL or any other applications. It just links
into the MySQL libraries.
Did you ever write a non-web based application - i.e. C/C++, which used
MS SQL? Or even a Windows application? Did you recompile MS SQL or
Windows for your application? Or did you just link to their libraries?
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Jerry Stuckle wrote:
No, just pointing out that this was one of the stupidest questions I've
seen in this newsgroup in a long time.
I'm still new to the whole Thunderbird/Firefox thing.
Can anyone tell me how to filter out messages like this?
I used to could do it in Outlook Express - but I can't figure out how it
works in Thunderbird(?).
..oO(Sanders Kaufman)
>I just thought that the subset of MySQL-related features were entirely
within the PHP binaries.
Nope, just the symbols, the names of the external functions.
>I guess I now know why PHP with MySQL support has to be compiled to
include the MySQL libraries.
Personally - I'm a recovering Microsoftie, so this whole thing about
compiling and recompiling other people's applications, with other other
people's applications still totally blows me away.
The external libraries are never recompiled (unless you do that of
course, but usually that's not necessary). What's compiled into PHP are
the names and references to the external functions, classes etc., so PHP
knows where it can find the actual binary code when it's requested.
It's really not that complicated.
Micha
Sanders Kaufman wrote:
Jerry Stuckle wrote:
>No, just pointing out that this was one of the stupidest questions
I've seen in this newsgroup in a long time.
I'm still new to the whole Thunderbird/Firefox thing.
Can anyone tell me how to filter out messages like this?
I used to could do it in Outlook Express - but I can't figure out how it
works in Thunderbird(?).
ROFLMAO! We know you can't program. Can't figure out how to use
Thunderbird, either, huh?
Do you need help peeing? Or can you read the instructions?
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Michael Fesser wrote:
.oO(Sanders Kaufman)
>Personally - I'm a recovering Microsoftie, so this whole thing about
compiling and recompiling other people's applications, with other other
people's applications still totally blows me away.
The external libraries are never recompiled (unless you do that of
course, but usually that's not necessary). What's compiled into PHP are
the names and references to the external functions, classes etc., so PHP
knows where it can find the actual binary code when it's requested.
It's really not that complicated.
Yeah - that's what I keep telling my grampa about his cable remote - but
he still gets goofy about the whole Video1/Video2 thing. :)
But it's really not that complicated. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Reply Via Newsgroup Thanks |
last post by:
Folks,
This questions is directed towards PHP/MySQL folk and relates to escaping
hooks, apostraphe's and other characters that can create a security hole
when writing to databases/files. I've...
|
by: leegold2 |
last post by:
// This statement below inserting one field works:
// mysql_query("INSERT INTO page (page_url) VALUES (\"$url_field\")");
But I wanted to insert into two fields so I was trying all sorts of...
|
by: Tom Chadwin |
last post by:
Hello all
Using PHP 4.1.2, I am seeing intermittent visible escaping backslashes
in my HTML output. Try refreshing the following page a few times to
see what I mean:
...
|
by: Dave Smithz |
last post by:
Having adopted someone else's PHP cope and completing a crash course in the
language I came across a (probably common) problem with the current code.
On a registration form, whenever users names...
|
by: Dave Moore |
last post by:
Hi All,
Can anybody point me to a FAQ or similar that describes what all this
stuff is about please?. I'm interfacing with a MySQL database if that's
relavent. I've read a couple of books which...
| | |
by: Ian Rastall |
last post by:
Sorry for the double question. I'm having a terrible time figuring out
how to escape apostrophes in my mySQL database. Perhaps they have to
be escaped in the PHP, using mysql_real_escape_string?
...
|
by: Regan |
last post by:
Hello,
I have done tons of searching on this topic but have yet to find
something relavent to the problem I am experiencing so I am hoping
someone can help me.
The problem I am having is that...
|
by: Taras_96 |
last post by:
Hi everyone,
I'm having a bit of trouble understanding the purpose of escaping
nulls, and the use of addcslashes.
Firstly, the manual states that:
"Strictly speaking, MySQL requires only...
|
by: Fred |
last post by:
if I use mysql_real_escape_string on all INSERT or UPDATE queries, then would
a stored procedure provide any extra protection?
the user has to be granted UPDATE and/or INSERT privileges anyway.
...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
| | |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
| |
