At 09:38 PM 5/16/2006, John Meyer wrote:
$sql = "INSERT INTO
BOOKS(CopyrightYear,CoverType,DatePurchased,EditionNumber,ISBNNumber,Notes,Pages,Publisher,LOCNumber)
VALUES(\"" . $_POST["copyrightyear"] . "\",\"" . $_POST["covertype"]
. "\",\"" . $_POST["datepurchased"] . "\"," .
$_POST["editionnumber"] . ",\"" . $_POST["isbn"] . "\",\"" .
addslashes($_POST["notes"]) . "\"," .
(isset($_POST["numberofpages"])?$_POST["numberofpages"]:0) . ",\"" .
$_POST["publisher"] . "\",\"" . $_POST["locnumber"] . "\")";
Okay, when $_POST["notes"] contains quotes, it seems to break the
series, ie returns an error at that point of the SQL statement, even
with addslashes(), am I doing something wrong there?
John,
I wasn't able to get your statement to break regardless of the
content of $_POST["notes"], so I'm inclined to think the problem
doesn't lie with embedded quotes alone. Try displaying the value of
$sql when it fails in MySQL. Without that evidence, your problem
seems impossible to solve.
I'm suspicious of this conditional expression:
(isset($_POST["numberofpages"])?$_POST["numberofpages"]:0)
If $_POST["numberofpages"] is set but contains non-numeric content,
the query will fail.
Here are two other points tangential to your question:
By feeding user input directly into an SQL query, you're creating an
unnecessary vulnerability in your code. See "SQL Injection" at
http://php.net/manual/en/security.database.sql-injection.php
I find the concatenation with escaped quotes messy and difficult to
proofread and modify. My example below is somewhat exaggerated for
effect, but consider using heredoc syntax for ease of reading and a
couple of custom functions to make strings & numbers SQL-safe:
___________________________
$copyrightyear = prepString($_POST["copyrightyear"]);
$covertype = prepString($_POST["covertype"]);
$datepurchased = prepString($_POST["datepurchased"]);
$editionnumber = prepNumber($_POST["editionnumber"]);
$notes = prepString($_POST["notes"]);
$numberofpages = prepNumber($_POST["numberofpages"]);
$publisher = prepString($_POST["publisher"]);
$locnumber = prepString($_POST["locnumber"]);
$sql = <<< heredocSQL
INSERT INTO BOOKS (
CopyrightYear,
CoverType,
DatePurchased,
EditionNumber,
ISBNNumber,
Notes,
Pages,
Publisher,
LOCNumber
) VALUES (
"$copyrightyear",
"$covertype",
"$datepurchased",
$editionnumber,
"$notes",
$numberofpages,
"$publisher",
"$locnumber"
);
heredocSQL;
___________________________
Paul
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
