Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Sql error when user enter apostroephy - help!

Status
Not open for further replies.
grwd

grwd

Technical User
Jan 20, 2002
20
US
I have a PHP form that gathers user input which I store in a mySql table.
A textbox gathers request data and places it in the var $request.

I run the following query to store the entered data in the table:

//Insert variables into table of previously selected DB.
$query = mysql_query("INSERT INTO requests VALUES ( '$ind', '$new_customer_id', '$gender', '$last_name', '$first_name', '$full_name', '$company', '$street', '$suburb', '$city', '$state', '$zipcode', '$country', '$email_address', '$full_phone', '$request_date', '$subject', '$request', '$please_respond', '$request_date', '$request_status', '$date_finished')");

Problem:
When a user enters a word with an aphostrophy like I'm or can't it throws an error:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'm here!', 'Yes', '2005-05-07', '', '')' at line 1"

QUESTIONS:
What must I do in order to capture WHATEVER the user types into that textbox?
 
Sort by date Sort by votes
you need to escape the apostrophe

i don't do php but i know there are functions which you can use to escape apostrophes

you might want to ask in the php forum

as far as the database is concerned, what you want is to replace each single apostrophe with two of them in a row, like this --
Code: 
insert
  into sometable
     ( surname )
values
     ( 'O''Toole' )
mysql offers seveal other syntaxes for escaping characters, but the above will work in any database, as it's the standard sql way of doing it

rudy | r937.com | Ask the Expert | Premium SQL Articles
SQL for Database-Driven Web Sites (next course starts May 8 2005)
 
Upvote 0 Downvote
single quotes are a common problem.

If you really need to have your SQL like that then I suggest you create a function that replaces all single quotes within EACH field by two single quotes.
This still leaves you subject to SQL Injection, so I suggest you search these forums for "SQL injection" and see if you can change to use a method less prone to that.



Regards

Frederico Fonseca
SysSoft Integrated Ltd
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

BobThornton
  • Locked
  • Question
windows command in a sql script
Replies
1
Views
211
carp
carp
manbob
  • Locked
  • Question
need a help with sub query getting group ereor, please correct
Replies
2
Views
201
carp
carp
jchewsmith
  • Locked
  • Question
SQL Syntax 1
Replies
1
Views
196
JarlH
JarlH
dEX2340
  • Locked
  • Question
SQL: Select Case when ... 2
Replies
12
Views
311
r937
r937
soushi01
  • Locked
  • Question
Nested For Loop update statement (pl/sql) 1
Replies
2
Views
174
soushi01
soushi01

Part and Inventory Search

Sponsor

Back
Top