Hi
When i use update that have a single quote(') in the value to be inserted to the table .. it ignore it.
i use :($MyValue="hello the're")
<?
$sql="update T SET MyField='$MyValue' WHERE...."
?>
I want the single quote to be part of the string in the table.
Thanks for help
Moshe
Updating a table with a single quote character
Moderator: General Moderators
Updating a table with a single quote character
Hi
Thanks for quick answer
Should the \ be in front of where ?
<?
$sql="update T set f='\$string' WHERE..."
?>
Thanks for quick answer
Should the \ be in front of where ?
<?
$sql="update T set f='\$string' WHERE..."
?>
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
mysql_real_escape_string() or your database's own variant if you aren't using MySQL.
Worst case, use addslashes()
Worst case, use addslashes()
magic quotes
You can also use the PHP magic_quotes_gpc setting to do this escaping for you automatically (no need to call addslashes() or similar function.)
It's typically simpler to do than always calling addslashes(), but then you must require any system where your code is installed to have this PHP setting enabled. I'd recommend the magic_quotes_gpc if you are developing something for internal use. Anything that will need to be installed someplace else or be accessible to potentially malicous users should use the addslashes() method.
It's typically simpler to do than always calling addslashes(), but then you must require any system where your code is installed to have this PHP setting enabled. I'd recommend the magic_quotes_gpc if you are developing something for internal use. Anything that will need to be installed someplace else or be accessible to potentially malicous users should use the addslashes() method.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
recommending magic quotes is the wrong route friend. It does not protect against all routes, nor does it help in a lot of other uses i.e. you have to strip those escapes a large percentage of the time. For the lazy, it can work, but you have security holes to deal with then. Same deal with addslashes(), it has holes. When dealing with insertion into MySQL, always always always pass the data through mysql_real_escape_string() at a minimum.