Page 1 of 1

How to introduce quotes?

Posted: Thu Jul 27, 2006 4:38 pm
by peperoni
Hi everybody!

I have a little problem with a query. When i execute

Code: Select all

$sql="INSERT into pais(id_pais, nombre_pais) values(1,'".$_POST["txtNombre"]."')";
mssql_query($sql,$con);
and txtNombre contains a quoute ' it close the query and dont execute the rest of the query :?

What can i do?

C ya!

Posted: Thu Jul 27, 2006 4:46 pm
by RobertGonzalez
Escape your quote.

Code: Select all

<?php
// Single quote string, string literal
$string = 'Who said "This is a string isn\'t it?"';

// Double quote string, parsed
$otherstring = "Didn't I just say \"This is a string, isn't it\"?";
?>

Posted: Thu Jul 27, 2006 4:46 pm
by Benjamin

Code: Select all

mysql_real_escape_string($_POST["txtNombre"])

Posted: Thu Jul 27, 2006 4:47 pm
by RobertGonzalez
Dude, I so read that question wrong. Thanks astions for being sharp enough to handle that *complex* topic for me :oops: .

Posted: Thu Jul 27, 2006 4:48 pm
by peperoni
Everah wrote:Escape your quote.
I'm using magic_quotes=On that supose must escape them but doesnt :(

Posted: Thu Jul 27, 2006 4:50 pm
by Benjamin
I've even been up for 26 hours.

Posted: Thu Jul 27, 2006 4:52 pm
by peperoni
astions wrote:

Code: Select all

mysql_real_escape_string($_POST["txtNombre"])
What if i'm using MS SQL Server 2000? :? mssql_real_escape_string doesnt exists :(

Posted: Thu Jul 27, 2006 4:53 pm
by Benjamin
Where would one look to find the equivalent?

http://www.php.net/manual/en/function.addslashes.php ? Just guessing..

Posted: Thu Jul 27, 2006 4:56 pm
by Jenk

Code: Select all

$string = str_replace("'", "''", $string);

Posted: Thu Jul 27, 2006 5:07 pm
by jmut
peperoni wrote:
astions wrote:

Code: Select all

mysql_real_escape_string($_POST["txtNombre"])
What if i'm using MS SQL Server 2000? :? mssql_real_escape_string doesnt exists :(
Use prepared statements.

Posted: Fri Jul 28, 2006 10:32 am
by peperoni
I decide to solve in a rude way! :twisted:

Code: Select all

$sugerencia = $_POST["txtSugerencia"];
$sugerencia2 = str_replace("'","/",$sugerencia);
now the query

Code: Select all

$sql="INSERT into sugerencias(id_suge, descripcion_suge, fecha_suge, id_acti) values($id_final,'".$sugerencia2."','$fecha_hoy',".$_POST["cmbActividad"].")";
now printin results

Code: Select all

echo "<td>".str_replace("/","'",$reg[1])."</td>";
Bingo! :D

Thanks everybody!

C ya soon!

Posted: Fri Jul 28, 2006 1:21 pm
by jmut
peperoni wrote:I decide to solve in a rude way! :twisted:

Code: Select all

$sugerencia = $_POST["txtSugerencia"];
$sugerencia2 = str_replace("'","/",$sugerencia);
now the query

Code: Select all

$sql="INSERT into sugerencias(id_suge, descripcion_suge, fecha_suge, id_acti) values($id_final,'".$sugerencia2."','$fecha_hoy',".$_POST["cmbActividad"].")";
now printin results

Code: Select all

echo "<td>".str_replace("/","'",$reg[1])."</td>";
Bingo! :D

Thanks everybody!

C ya soon!
This is just so wrong.... sql injection is not for escaping quotes only!!!