How to introduce quotes?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
peperoni
Forum Newbie
Posts: 16
Joined: Thu Jun 15, 2006 10:52 pm
Location: Managua, Nicaragua
Contact:

How to introduce quotes?

Post by peperoni »

Hi everybody!

I have a little problem with a query. When i execute

Code: Select all

$sql="INSERT into pais(id_pais, nombre_pais) values(1,'".$_POST["txtNombre"]."')";
mssql_query($sql,$con);
and txtNombre contains a quoute ' it close the query and dont execute the rest of the query :?

What can i do?

C ya!
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Escape your quote.

Code: Select all

<?php
// Single quote string, string literal
$string = 'Who said "This is a string isn\'t it?"';

// Double quote string, parsed
$otherstring = "Didn't I just say \"This is a string, isn't it\"?";
?>
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Code: Select all

mysql_real_escape_string($_POST["txtNombre"])
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Dude, I so read that question wrong. Thanks astions for being sharp enough to handle that *complex* topic for me :oops: .
User avatar
peperoni
Forum Newbie
Posts: 16
Joined: Thu Jun 15, 2006 10:52 pm
Location: Managua, Nicaragua
Contact:

Post by peperoni »

Everah wrote:Escape your quote.
I'm using magic_quotes=On that supose must escape them but doesnt :(
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

I've even been up for 26 hours.
User avatar
peperoni
Forum Newbie
Posts: 16
Joined: Thu Jun 15, 2006 10:52 pm
Location: Managua, Nicaragua
Contact:

Post by peperoni »

astions wrote:

Code: Select all

mysql_real_escape_string($_POST["txtNombre"])
What if i'm using MS SQL Server 2000? :? mssql_real_escape_string doesnt exists :(
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Where would one look to find the equivalent?

http://www.php.net/manual/en/function.addslashes.php ? Just guessing..
Last edited by Benjamin on Thu Jul 27, 2006 4:57 pm, edited 1 time in total.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Code: Select all

$string = str_replace("'", "''", $string);
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

peperoni wrote:
astions wrote:

Code: Select all

mysql_real_escape_string($_POST["txtNombre"])
What if i'm using MS SQL Server 2000? :? mssql_real_escape_string doesnt exists :(
Use prepared statements.
User avatar
peperoni
Forum Newbie
Posts: 16
Joined: Thu Jun 15, 2006 10:52 pm
Location: Managua, Nicaragua
Contact:

Post by peperoni »

I decide to solve in a rude way! :twisted:

Code: Select all

$sugerencia = $_POST["txtSugerencia"];
$sugerencia2 = str_replace("'","/",$sugerencia);
now the query

Code: Select all

$sql="INSERT into sugerencias(id_suge, descripcion_suge, fecha_suge, id_acti) values($id_final,'".$sugerencia2."','$fecha_hoy',".$_POST["cmbActividad"].")";
now printin results

Code: Select all

echo "<td>".str_replace("/","'",$reg[1])."</td>";
Bingo! :D

Thanks everybody!

C ya soon!
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

peperoni wrote:I decide to solve in a rude way! :twisted:

Code: Select all

$sugerencia = $_POST["txtSugerencia"];
$sugerencia2 = str_replace("'","/",$sugerencia);
now the query

Code: Select all

$sql="INSERT into sugerencias(id_suge, descripcion_suge, fecha_suge, id_acti) values($id_final,'".$sugerencia2."','$fecha_hoy',".$_POST["cmbActividad"].")";
now printin results

Code: Select all

echo "<td>".str_replace("/","'",$reg[1])."</td>";
Bingo! :D

Thanks everybody!

C ya soon!
This is just so wrong.... sql injection is not for escaping quotes only!!!
Post Reply