By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
446,387 Members | 1,729 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 446,387 IT Pros & Developers. It's quick & easy.

escaping characters in php and mysql - help

P: n/a

// This statement below inserting one field works:
// mysql_query("INSERT INTO page (page_url) VALUES (\"$url_field\")");

But I wanted to insert into two fields so I was trying all sorts of
escaping. See below...there must be an easier way?! I also cite the
syntax error - Thanks very much.

mysql_query("INSERT INTO page (page_url, title) VALUES
( \"$url_insert . "\", "." \"$title_field "." "\")");

I don't understand how to escape but I got to believe there's an easier
way? Thanks!

Error message
C:\Program Files\Apache Group\Apache2\htdocs>php -l populate2.php
<br />
<b>Warning</b>: Unexpected character in input: '\' (ASCII=92) state=1
in <b>C:\Program Files\Apache Group\Apache2\htdocs\populate2.php</b> on
line <b>56</b><br />
<br />
<b>Parse error</b>: parse error, unexpected T_CONSTANT_ENCAPSED_STRING
in <b>C:\Program Files\Apache Group\Apache2\htdocs\populate2.php</b> on
line <b>56</b><br />
Errors parsing populate2.php
Jul 17 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
leegold2 wrote:

// This statement below inserting one field works:
// mysql_query("INSERT INTO page (page_url) VALUES (\"$url_field\")");

But I wanted to insert into two fields so I was trying all sorts of
escaping. See below...there must be an easier way?! I also cite the
syntax error - Thanks very much.

mysql_query("INSERT INTO page (page_url, title) VALUES
( \"$url_insert . "\", "." \"$title_field "." "\")");

I don't understand how to escape but I got to believe there's an easier
way? Thanks!


MySQL supports single quotes around column values as well double quotes so
you can instead do it this way:

mysql_query("
INSERT INTO page (page_url, title)
VALUES ('$url_insert', '$title_field')
");

Much tidier and easier to read.

Note that if you're accepting stuff from the browser and inserting it
directly into the database you need to first escape the values. Do a Google
search on sql injection to learn more:
http://www.google.co.nz/search?q=sql+injection

--
Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/
Jul 17 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.