Updating a table with a single quote character

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
mbaroz
Forum Commoner
Posts: 29
Joined: Sun Feb 05, 2006 10:10 am

Updating a table with a single quote character

Post by mbaroz »

Hi
When i use update that have a single quote(') in the value to be inserted to the table .. it ignore it.
i use :($MyValue="hello the're")
<?
$sql="update T SET MyField='$MyValue' WHERE...."
?>

I want the single quote to be part of the string in the table.

Thanks for help
Moshe
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Put a \ in front of it to escape it.
mbaroz
Forum Commoner
Posts: 29
Joined: Sun Feb 05, 2006 10:10 am

Updating a table with a single quote character

Post by mbaroz »

Hi
Thanks for quick answer
Should the \ be in front of where ?
<?
$sql="update T set f='\$string' WHERE..."
?>
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

In front of the ' in the data you want.

Example set `blah`='don\'t'
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

mysql_real_escape_string() or your database's own variant if you aren't using MySQL.
Worst case, use addslashes()
cknudsen
Forum Newbie
Posts: 3
Joined: Tue Feb 21, 2006 9:48 pm
Location: Fredericksburg, VA

magic quotes

Post by cknudsen »

You can also use the PHP magic_quotes_gpc setting to do this escaping for you automatically (no need to call addslashes() or similar function.)

It's typically simpler to do than always calling addslashes(), but then you must require any system where your code is installed to have this PHP setting enabled. I'd recommend the magic_quotes_gpc if you are developing something for internal use. Anything that will need to be installed someplace else or be accessible to potentially malicous users should use the addslashes() method.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

recommending magic quotes is the wrong route friend. It does not protect against all routes, nor does it help in a lot of other uses i.e. you have to strip those escapes a large percentage of the time. For the lazy, it can work, but you have security holes to deal with then. Same deal with addslashes(), it has holes. When dealing with insertion into MySQL, always always always pass the data through mysql_real_escape_string() at a minimum.
Post Reply