Re: mysql issue...

From: Pat Borjon <pat@borjonx.com>
Date: Tue Mar 08 2005 - 12:01:07 AKST

Some of the characters mean something special to SQL.
For that reason, you must escape(or otherwise encode)
the characters before sending
them to the SQL server so SQL knows to treat them as just
another character.

Having said that, you should always clean your input before
sending it to the SQL server. Something like:

$cleaned_name = cleaner($_POST['name']);
mysql_query("INSERT INTO table (name) VALUES ('$cleaned_name']
etc. etc.

The function:
cleaner();

is what prevents 'sql injection'

HTH, or points you in the right direction -
Pat

Clay Scott wrote:
> for some reason a php/mysql script won't input values into a database if there's an extended character present. simple characters like apostrophes, colons, dashes, etc. the script uses this string for database input:
>
> mysql_query("INSERT INTO table (name, type, link) VALUES ('". $_POST['name'] ."', 'type', '$link')");
>
> it works perffectly well as long as 'name' doesn't contain any of the mentioned characters. if it does it seems the string is just lost completely. those three fields are varchar(100), varchar(20) and varchar(100) respectively so i know the characters are supported. i ran the insert string manually in mysql and can add values into 'name' with the characters fine.
>
> anything i should know about handling strings with these characters in them that i obviously don't? is my problem that i need to somehow edit my php to catch and escape these charaters somewhere along the line?
>
> thanks,
> ~clay
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Mar 8 12:57:38 2005

This archive was generated by hypermail 2.1.8 : Tue Mar 08 2005 - 12:57:38 AKST