Nestor,
You would do better to use prepared statements.
When a parameter is substituted into the prepared statement it is automatically quoted -- and you are protected from SQL Injection attacks. The reason your script is failing is that the single quote in $field is being interpreted as the SQL statement's closing single quote in MySQL. Thus, data in $field is being treated as potential SQL code. Very dangerous.
In your example, if someone is able to insert "');update user set password=PASSWORD('cracked" into $field you're in trouble. That's a simple but poor example of what can be done. People intent on breaking your system don't need to know what your schema is to do you harm.
Prepared statements and parameter substitution is a function of your language's DB library, so you need to find out how your language does this.
HTH,
Robert J Taylor.
There's an article at MySQL.com on Prepared Statements for more reading: http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html
Nestor Florez wrote:
Hello world,
I am passing a a string "Joe's car" as part of the SQL query to be inserted
to a String field.
$field="Joe's car"; $query="insert into mytable values('$field')";
Do you generally change the quote to a double quote before inserting or what is the recomended way, because otherwise the quote will terminate the query statement.
Thanks,
:-)
Néstor Alberto Flórez Torres
-- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
