First thing you should know:
DON'T PUT RAW VALUES INTO AN SQL QUERY. Yes, I'm yelling, because it's very
dangerous. Google for "sql injection" and start reading.
http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
http://www.unixwiz.net/techtips/sql-injection.html
And many more!
Second, there is a mysql_quote function (or similar name). Use it on all your
values before you insert them to escape anything that might be dangerous.
Or use prepared queries with parameter binding (don't know if PHP does this).
Yes, it chokes on apostrophes because those are delimiters in SQL.
Hope that helps.
j----- k----
On Tuesday 08 March 2005 09:25, Clay Scott wrote:
> for some reason a php/mysql script won't input values into a database if
> there's an extended character present. simple characters like apostrophes,
> colons, dashes, etc. the script uses this string for database input:
>
> mysql_query("INSERT INTO table (name, type, link) VALUES ('".
> $_POST['name'] ."', 'type', '$link')");
>
> it works perffectly well as long as 'name' doesn't contain any of the
> mentioned characters. if it does it seems the string is just lost
> completely. those three fields are varchar(100), varchar(20) and
> varchar(100) respectively so i know the characters are supported. i ran the
> insert string manually in mysql and can add values into 'name' with the
> characters fine.
>
> anything i should know about handling strings with these characters in them
> that i obviously don't? is my problem that i need to somehow edit my php to
> catch and escape these charaters somewhere along the line?
>
> thanks,
> ~clay
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
-- Joshua Kugler CDE System Administrator http://distance.uaf.edu/ --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.Received on Tue Mar 8 09:39:27 2005
This archive was generated by hypermail 2.1.8 : Tue Mar 08 2005 - 09:39:27 AKST