Re: Narorwed down my problem to one statement:

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, May 16, 2006 11:38 pm, John Meyer wrote:
> $sql = "INSERT INTO
> BOOKS(CopyrightYear,CoverType,DatePurchased,EditionNumber,ISBNNumber,Notes,Pages,Publisher,LOCNumber)
> VALUES(\"" . $_POST["copyrightyear"] . "\",\"" . $_POST["covertype"] .
> "\",\"" . $_POST["datepurchased"] . "\"," . $_POST["editionnumber"] .
> ",\"" . $_POST["isbn"] . "\",\"" . addslashes($_POST["notes"]) . "\","
> .
> (isset($_POST["numberofpages"])?$_POST["numberofpages"]:0) . ",\"" .
> $_POST["publisher"] . "\",\"" . $_POST["locnumber"] . "\")";
>
>
> Okay,  when $_POST["notes"] contains quotes, it seems to break the
> series, ie returns an error at that point of the SQL statement, even
> with addslashes(), am I doing something wrong there?

addslashes should be changed to http://php.net/mysql_real_escape_string

but that won't solve your problem.

Could you PLEASE tell us exactly what is in $_POST["notes"] other than
something with a quote?

Could you PLEASE use mysql_error() to give us the exact error message?

And, just for fun, print out the EXACT query after all that mess of
quotes is done?

For that matter, you're making life really difficult with the
double-quote thing...

$query = "INSERT INTO Books(...) VALUES('$CLEAN[copyrightyear]',
'$CLEAN[covertype]', ...)";

This presumes that you have scrubbed $_POST data into $CLEAN like you
should also be doing.

You could use $_POST in place of $CLEAN if you don't care about SQL
injection attacks...

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux