Page 1 of 1
Updating a table with a single quote character
Posted: Wed Feb 15, 2006 6:25 am
by mbaroz
Hi
When i use update that have a single quote(') in the value to be inserted to the table .. it ignore it.
i use :($MyValue="hello the're")
<?
$sql="update T SET MyField='$MyValue' WHERE...."
?>
I want the single quote to be part of the string in the table.
Thanks for help
Moshe
Posted: Wed Feb 15, 2006 6:26 am
by Benjamin
Put a \ in front of it to escape it.
Updating a table with a single quote character
Posted: Wed Feb 15, 2006 6:29 am
by mbaroz
Hi
Thanks for quick answer
Should the \ be in front of where ?
<?
$sql="update T set f='\$string' WHERE..."
?>
Posted: Wed Feb 15, 2006 6:33 am
by Benjamin
In front of the ' in the data you want.
Example set `blah`='don\'t'
Posted: Wed Feb 15, 2006 9:20 am
by feyd
mysql_real_escape_string() or your database's own variant if you aren't using MySQL.
Worst case, use
addslashes()
magic quotes
Posted: Tue Feb 21, 2006 10:03 pm
by cknudsen
You can also use the PHP magic_quotes_gpc setting to do this escaping for you automatically (no need to call addslashes() or similar function.)
It's typically simpler to do than always calling addslashes(), but then you must require any system where your code is installed to have this PHP setting enabled. I'd recommend the magic_quotes_gpc if you are developing something for internal use. Anything that will need to be installed someplace else or be accessible to potentially malicous users should use the addslashes() method.
Posted: Tue Feb 21, 2006 10:44 pm
by feyd
recommending magic quotes is the wrong route friend. It does not protect against all routes, nor does it help in a lot of other uses i.e. you have to strip those escapes a large percentage of the time. For the lazy, it can work, but you have security holes to deal with then. Same deal with
addslashes(), it has holes. When dealing with insertion into MySQL, always always always pass the data through
mysql_real_escape_string() at a
minimum.