Page 1 of 1
How to introduce quotes?
Posted: Thu Jul 27, 2006 4:38 pm
by peperoni
Hi everybody!
I have a little problem with a query. When i execute
Code: Select all
$sql="INSERT into pais(id_pais, nombre_pais) values(1,'".$_POST["txtNombre"]."')";
mssql_query($sql,$con);
and txtNombre contains a quoute ' it close the query and dont execute the rest of the query
What can i do?
C ya!
Posted: Thu Jul 27, 2006 4:46 pm
by RobertGonzalez
Escape your quote.
Code: Select all
<?php
// Single quote string, string literal
$string = 'Who said "This is a string isn\'t it?"';
// Double quote string, parsed
$otherstring = "Didn't I just say \"This is a string, isn't it\"?";
?>
Posted: Thu Jul 27, 2006 4:46 pm
by Benjamin
Code: Select all
mysql_real_escape_string($_POST["txtNombre"])
Posted: Thu Jul 27, 2006 4:47 pm
by RobertGonzalez
Dude, I so read that question wrong. Thanks astions for being sharp enough to handle that *complex* topic for me

.
Posted: Thu Jul 27, 2006 4:48 pm
by peperoni
Everah wrote:Escape your quote.
I'm using magic_quotes=On that supose must escape them but doesnt

Posted: Thu Jul 27, 2006 4:50 pm
by Benjamin
I've even been up for 26 hours.
Posted: Thu Jul 27, 2006 4:52 pm
by peperoni
astions wrote:Code: Select all
mysql_real_escape_string($_POST["txtNombre"])
What if i'm using MS SQL Server 2000?

mssql_real_escape_string doesnt exists

Posted: Thu Jul 27, 2006 4:53 pm
by Benjamin
Where would one look to find the equivalent?
http://www.php.net/manual/en/function.addslashes.php ? Just guessing..
Posted: Thu Jul 27, 2006 4:56 pm
by Jenk
Code: Select all
$string = str_replace("'", "''", $string);
Posted: Thu Jul 27, 2006 5:07 pm
by jmut
peperoni wrote:astions wrote:Code: Select all
mysql_real_escape_string($_POST["txtNombre"])
What if i'm using MS SQL Server 2000?

mssql_real_escape_string doesnt exists

Use prepared statements.
Posted: Fri Jul 28, 2006 10:32 am
by peperoni
I decide to solve in a rude way!
Code: Select all
$sugerencia = $_POST["txtSugerencia"];
$sugerencia2 = str_replace("'","/",$sugerencia);
now the query
Code: Select all
$sql="INSERT into sugerencias(id_suge, descripcion_suge, fecha_suge, id_acti) values($id_final,'".$sugerencia2."','$fecha_hoy',".$_POST["cmbActividad"].")";
now printin results
Code: Select all
echo "<td>".str_replace("/","'",$reg[1])."</td>";
Bingo!
Thanks everybody!
C ya soon!
Posted: Fri Jul 28, 2006 1:21 pm
by jmut
peperoni wrote:I decide to solve in a rude way!
Code: Select all
$sugerencia = $_POST["txtSugerencia"];
$sugerencia2 = str_replace("'","/",$sugerencia);
now the query
Code: Select all
$sql="INSERT into sugerencias(id_suge, descripcion_suge, fecha_suge, id_acti) values($id_final,'".$sugerencia2."','$fecha_hoy',".$_POST["cmbActividad"].")";
now printin results
Code: Select all
echo "<td>".str_replace("/","'",$reg[1])."</td>";
Bingo!
Thanks everybody!
C ya soon!
This is just so wrong.... sql injection is not for escaping quotes only!!!