Hi,
I just cannot get this working :(
Stuff I put in form text field (including enluding quotes) ->> ';?%>'
All magic quotes is taken care of.
Here transformations I use on the input
$first_name = addcslashes($first_name,'%'); -->>> so
% chars are escaped
$first_name = "%{$first_name}%"; -> cause
quote() is adding '' around it...
$first_name = $t->getAdapter()->quote($first_name); ->
so I escape quotes inside and all other nasty stuff
$sql_where .= " AND a.`AP_first_name` LIKE $first_name ";
Here is final query created(result ov var_dump())...mind that this query
is perfectly valid passed in mysql console and returns empty set.
SELECT a.`A_id` FROM application aaa LEFT JOIN `applicant` a USING(A_id)
LEFT JOIN `applicant_address` aa USING(A_id) WHERE (1) AND
a.`AP_first_name` LIKE '%\';?\\%>\'%'
In ZF I create/use it like this
$sql = "SELECT a.`A_id`
FROM application aaa
LEFT JOIN `applicant` a USING(A_id)
LEFT JOIN `applicant_address` aa USING(A_id)
WHERE (1) {$sql_where}";
$result = $t->getAdapter()->fetchCol($sql);
I tried prepare,execute but got the same error.
Thanks
Bill Karwin wrote:
Julian Davchev wrote:
I am just trying to form any query that I want to pass '?' mark to
database.
So question is how I appropriately escape this '?' so that ZF doesn't
look at it as placeholder.
You don't have to escape the question mark if it is in quotes. I just
tested this:
$stmt = $db->prepare("INSERT INTO words (word) VALUES (';?>')");
$stmt->execute();
mysql> SELECT * FROM words;
+-------------+
| word |
+-------------+
| ;?> |
+-------------+
Regards,
Bill Karwin
