On Fri, 24 Aug 2001, Sacha Chua wrote:
..
> Classic SQL problem. =) Eric, you've probably already fixed this to
> double the apostrophes, and also fix the HTML on output?
..
> SQL strings are delimited by single quotes, like this: 'Hello world!'
> That makes it break when you have a single apostrophe inside the
> string: 'This can't be.' So you need to double the apostrophes.
> 'This''ll work.'
Nope, that's not true. Quoting-a-quote works on Sybase, but Oracle uses
backslash-quote. The correct answer is, It Depends On The Database. None
of them follow SQL92 or SQL89 completely.
The error which popped up is an Example Of Bad Programming (apologies to
the programmer). Every database API has its own way of escaping "special
characters," but the correct way of doing it (generally) is to use
placeholders, e.g.
$sth = $dbh->prepare ("INSERT INTO Registrants (Name, Desc)
VALUES (?, ?)");
$sth->execute ($form_name, $form_desc);
This has the (added) good feature of correctly-escaping the stuff you
insert. It is VERY BAD PRACTICE to stick form data (e.g. from a web form)
directly into an SQL statement without placeholders, because in many cases
a l33t hax0r would be able to escape his/her input in such a way that
arbitrary SQL would be executed.
Oh well.. more on this in my talk tomorrow =)
--
Orlando Andico <[EMAIL PROTECTED]>
Mosaic Communications, Inc.
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
