Page 1 of 1

Quotes problem

Posted: Tue Jan 10, 2006 1:18 am
by dude81
Hello ,
I use oracle database as my main database.

The problem here is we cannot put insert any data with single quotes or double quotes or similar special characters like that.

I have checked oracle website
http://www.oracle.com/technology/tech/ ... insquotes

As far is the problem is I have lot of forms with thousands of variables on the website so I cant use stripslashes or addslashes as a solution.
None of the mentioned solutioin in above url was implemented.

All looks was only first solution looks better, but still there are hundreds of forms should be altered and some thousands of variables
have to be edited.

Is there any other solution ?? :?:

Posted: Tue Jan 10, 2006 3:26 am
by Jenk
as it suggests for number 1:
Use bind variables. This also protects against "SQL Injection" security issues:

Code: Select all

$name = "O'Reilly";
        $stmt = 'INSERT INTO CUSTOMERS (NAME) VALUES (:nm)';
        $stid = OCIParse($mycon, $stmt);
        OCIBindByName($stid, ':nm', $name, -1);
        OCIExecute($stid);
http://us3.php.net/manual/en/function.o ... y-name.php

Posted: Tue Jan 10, 2006 5:32 am
by Maugrim_The_Reaper
...assuming the application is Oracle specific (which one would assume). If you need multiple database support (hopefully not with Oracle involved) you look into ADOdb. It should automate this level of escaping using bind parameters in its own emulated fashion.

Posted: Tue Jan 10, 2006 6:21 am
by dude81

Code: Select all

as it suggests for number 1:
Can I use a procedure instead of simple query if so how should be the variables written to a procedure
I tried the way it was shown in the oracle faqs but it didnt work