About the language remark: I believe you try to say I need to find a way that the client can add 25 languages without me having to change the database layout or the coding? Well I can assure you this will not be the fact. The client only needs these two languages but maybe I should look into it anyway About SQl injection: I must say this is very interesting. I always wondered what are does and donts when inserting data from a form into a database and how to check someone did not enter any php code. Besides the google lookup is there maybe an site or paper dedicated to this? Thx again, didn't think this question was about to bring up what I was looking for in the back of my head -----Oorspronkelijk bericht----- Van: Jochem Maas [mailto:jochem@xxxxxxxxxxxxx] Verzonden: dinsdag 29 augustus 2006 15:37 Aan: rv@xxxxxxxx CC: php-general@xxxxxxxxxxxxx Onderwerp: Re: replace single and double quotes Reinhart Viane wrote: > This is the code is use to insert/update text into a database field: > > $sqledit="update activities set act_extra='$_POST[editextra]', > act_extra_fr='$_POST[editextrafr]' where act_id=$_POST[editid]"; this indicates 'bad' database design ... because adding a language involves having to change the database schema. I personally think that there should be no need to change the database schema and/or queries and/or code just because the client wants an extra language. it also indicates that you have a glaring SQL injection problem. what happens when I craft a POST request that contains an 'editid' parameter with the following in it: '1 OR 1' or '1; DELETE * FROM activities' google 'SQL injection', do some reading and get into the habit of sanitizing your user input. > > Now both $_POST[editextra] and $_POST[editextrafr] can contain single or > double quotes. > So the query almost always gives me an error. > > I know I have to replace " with ", but I do not know how to replace the WRONG - you only replace " with " when you OUTPUTTING the string as part of a webpage. the database should contain the actual > single quote so it is shown as a single quote on a webpage when I get it > from the database mysql_real_escape_string() search this archive; there is plenty of discussion about escaping data so that it can be inserted into a database (mostly concerning MySQL). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
