$sString = "This string contains a single-quote (')";$sQuery = "INSERT INTO mytable SET mystrcolumn='{$sString}',mynumbercolumn=24";
"INSERT INTO mytable SET mystrcolumn='This string contains a single-quote (')',mynumbercolumn=24" == $sQuery; // This just shows what's in $sQuery
If you were to run $sQuery as it is, it would not parse because the single-quote in $sString would indicate the end of that string, and the characters following it aren't valid SQL.
But, if you were to use mysql_escape_string on $sString, before putting it in the query, everything would work out fine.
$sString = "This string contains a single-quote (')";$sString = mysql_escape_string($sString);
$sQuery = "INSERT INTO mytable SET mystrcolumn='{$sString}',mynumbercolumn=24";
"INSERT INTO mytable SET mystrcolumn='This string contains a single-quote (\')',mynumbercolumn=24" == $sQuery; // This just shows what's in $sQuery
Now the single-quote in $sString has been escaped, and MySQL doesn't see it as the string delimiter.
On a side note, mysql_real_escape_string would probably be prefferable, as it takes into accoutnt he character set of the current connection.
Chris
Matthew Sims wrote:
PHP version 5.0.0RC3 (cgi) (built: Jul 9 2004 13:18:24)
I'm just getting my feet wet with OO and have run into a problem that I'm not familiar with...yet.
I have a class that does a database connection and query all together. It all works nicely until....until my query has a word with quotes around it.
I've tried addslashes and mysql_escape_string but when I do I get a Fatal Error. It occurs in the execute($query) function down below.
I'm also using the recommended php.ini file...magic quotes off and all.
***************************************** class DB_Mysql {
protected $user; // Database username protected $pass; // Database password protected $dbhost; // Database host protected $dbname; // Database name protected $dbh; // Database handle
public function __construct($user, $pass, $dbhost, $dbname) { $this->user = $user; $this->pass = $pass; $this->dbhost = $dbhost; $this->dbname = $dbname; }
protected function connect() { $this->dbh = mysql_connect($this->dbhost, $this->user, $this->pass);
if (!is_resource($this->dbh)) { throw new Exception; }
if (!mysql_select_db($this->dbname, $this->dbh)) { throw new Exception; } }
public function execute($query) { if (!$this->dbh) { $this->connect(); }
// My $query has quotes in it // I try to escape the quotes $query = mysql_escape_string($query); // It causes an error $ret = mysql_query($query, $this->dbh);
if (!$ret) { // An Exception error is thrown throw new Exception; } elseif (!is_resource($ret)) { return TRUE; } else { $statment = new DB_MysqlStatement($this->dbh, $query); return $statement; } } } *****************************************
My query statement is: $query = 'INSERT into aeMail set test=\''.$_POST["test"].'\'';
I call the class as follows: $dbh = new DB_Mysql("user","passwd","localhost","test"); $query = 'INSERT into aeMail set test=\''.$_POST["test"].'\''; $dbh->execute($query);
If the $_POST variable does not contain any quotes, the class works perfectly. But whenever quotes are passed through, I get the following error:
Fatal error: Uncaught exception 'Exception' in /www/htdocs/classes/db_class.php:53 Stack trace: #0 /www/htdocs/letter.php(51): DB_Mysql->execute('INSERT into aeM...') #1 {main} thrown in /www/htdocs/classes/db_class.php on line 53
--Matthew Sims --<http://killermookie.org>
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
