Bruce Momjian wrote:
>
> > I'm not sure if PHP's addslashes command will take care of single
> > quotes, I haven't tried it yet. I believe the proper escape for a
> > single quote in SQL is to put another single quote in front of it.
> > So if a person's last name is "O'Brien" it would be inserted as:
> >
> > INSERT INTO personel (fname,lname) VALUES ('Michael','O''Brien');
> >
> > So what I do is a Regular Expression Replace in PHP, like this:
> >
> > $lname = ereg_replace("'", "''", $lname);
>
> But this does not handle backslashes in the string. I think the PHP
> function does both.
Looking at the source of the Bug Database at php.net, I noticed that strings are
inserted as they are, without any escaping. I still don't know where and why,
but PHP seems to escape quotes and slashes by itself when working with strings.
For example, I have the following code in my page:
$Query=sprintf("INSERT INTO bugdb (email,sdescr,ldescr,version,status) VALUES (
'%s','%s','%s','%s','Open' )",$EMail,$SDescr,$LDescr,$Version);
echo $Query;
In the textarea (ltext) I put:
\\
\n
'
"
abc
And the resulting query is:
INSERT INTO bugdb (email,sdescr,ldescr,version,status) VALUES (
'daniele@orlandi.com','Test3','\\\\ \\n \' \" abc','3.0.0','Open' )
Well, I've not yet been able to confuse PostgreSQL and everything i get from a
select is identical to what I put with the insert.
Bye!
--
Daniele
-------------------------------------------------------------------------------
Why use Windows, since there is a door?
(By fachat@galileo.rhein-neckar.de, Andre Fachat)
-------------------------------------------------------------------------------
Se telecom italia aggiungesse uno scatto al giorno ad ogni abbonato, dal
primo Gennaio avrebbe rubato 671.633.000.000 Lire.
-------------------------------------------------------------------------------
Daniele Orlandi - Utility Line Italia - http://www.orlandi.com
Via Mezzera 29/A - 20030 - Seveso (MI) - Italy
-------------------------------------------------------------------------------