PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Moderator: General Moderators
peperoni
Forum Newbie
Posts: 16 Joined: Thu Jun 15, 2006 10:52 pm
Location: Managua, Nicaragua
Contact:
Post
by peperoni » Thu Jul 27, 2006 4:38 pm
Hi everybody!
I have a little problem with a query. When i execute
Code: Select all
$sql="INSERT into pais(id_pais, nombre_pais) values(1,'".$_POST["txtNombre"]."')";
mssql_query($sql,$con);
and txtNombre contains a quoute ' it close the query and dont execute the rest of the query
What can i do?
C ya!
RobertGonzalez
Site Administrator
Posts: 14293 Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA
Post
by RobertGonzalez » Thu Jul 27, 2006 4:46 pm
Escape your quote.
Code: Select all
<?php
// Single quote string, string literal
$string = 'Who said "This is a string isn\'t it?"';
// Double quote string, parsed
$otherstring = "Didn't I just say \"This is a string, isn't it\"?";
?>
Benjamin
Site Administrator
Posts: 6935 Joined: Sun May 19, 2002 10:24 pm
Post
by Benjamin » Thu Jul 27, 2006 4:46 pm
Code: Select all
mysql_real_escape_string($_POST["txtNombre"])
RobertGonzalez
Site Administrator
Posts: 14293 Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA
Post
by RobertGonzalez » Thu Jul 27, 2006 4:47 pm
Dude, I so read that question wrong. Thanks astions for being sharp enough to handle that *complex* topic for me
.
peperoni
Forum Newbie
Posts: 16 Joined: Thu Jun 15, 2006 10:52 pm
Location: Managua, Nicaragua
Contact:
Post
by peperoni » Thu Jul 27, 2006 4:48 pm
Everah wrote: Escape your quote.
I'm using magic_quotes=On that supose must escape them but doesnt
Benjamin
Site Administrator
Posts: 6935 Joined: Sun May 19, 2002 10:24 pm
Post
by Benjamin » Thu Jul 27, 2006 4:50 pm
I've even been up for 26 hours.
peperoni
Forum Newbie
Posts: 16 Joined: Thu Jun 15, 2006 10:52 pm
Location: Managua, Nicaragua
Contact:
Post
by peperoni » Thu Jul 27, 2006 4:52 pm
astions wrote: Code: Select all
mysql_real_escape_string($_POST["txtNombre"])
What if i'm using MS SQL Server 2000?
mssql_real_escape_string doesnt exists
Jenk
DevNet Master
Posts: 3587 Joined: Mon Sep 19, 2005 6:24 am
Location: London
Post
by Jenk » Thu Jul 27, 2006 4:56 pm
Code: Select all
$string = str_replace("'", "''", $string);
jmut
Forum Regular
Posts: 945 Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:
Post
by jmut » Thu Jul 27, 2006 5:07 pm
peperoni wrote: astions wrote: Code: Select all
mysql_real_escape_string($_POST["txtNombre"])
What if i'm using MS SQL Server 2000?
mssql_real_escape_string doesnt exists
Use prepared statements.
peperoni
Forum Newbie
Posts: 16 Joined: Thu Jun 15, 2006 10:52 pm
Location: Managua, Nicaragua
Contact:
Post
by peperoni » Fri Jul 28, 2006 10:32 am
I decide to solve in a rude way!
Code: Select all
$sugerencia = $_POST["txtSugerencia"];
$sugerencia2 = str_replace("'","/",$sugerencia);
now the query
Code: Select all
$sql="INSERT into sugerencias(id_suge, descripcion_suge, fecha_suge, id_acti) values($id_final,'".$sugerencia2."','$fecha_hoy',".$_POST["cmbActividad"].")";
now printin results
Code: Select all
echo "<td>".str_replace("/","'",$reg[1])."</td>";
Bingo!
Thanks everybody!
C ya soon!
jmut
Forum Regular
Posts: 945 Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:
Post
by jmut » Fri Jul 28, 2006 1:21 pm
peperoni wrote: I decide to solve in a rude way!
Code: Select all
$sugerencia = $_POST["txtSugerencia"];
$sugerencia2 = str_replace("'","/",$sugerencia);
now the query
Code: Select all
$sql="INSERT into sugerencias(id_suge, descripcion_suge, fecha_suge, id_acti) values($id_final,'".$sugerencia2."','$fecha_hoy',".$_POST["cmbActividad"].")";
now printin results
Code: Select all
echo "<td>".str_replace("/","'",$reg[1])."</td>";
Bingo!
Thanks everybody!
C ya soon!
This is just so wrong.... sql injection is not for escaping quotes only!!!