RE: Re: Basic MySQL Query Question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ok. It seems that a $_POST value comes over with the escaped single quote as
in O\'Neal. So why does it not preserve that escape when pulling a value
from a table field, and inserting it back into another table field? When I
pull it out and insert it back in it is simply O'Neal.

-----Original Message-----
From: Torsten Roehr [mailto:roehr@xxxxxxxxxxx] 
Sent: Monday, August 16, 2004 9:44 AM
To: php-db@xxxxxxxxxxxxx
Subject:  Re: Basic MySQL Query Question

Hi Chad, please see below

"Chad Stalvey" <chad@xxxxxxxx> wrote in message
news:200408161420.i7GEKsCT058166@xxxxxxxxxxxxxxx
> I'm having some inconsistency with mysql insert queries when there is a
> single quote involved.
>
> Example: A new member register's with the name of Jason O'Neal. There are
no
> addslashes in the code, and the user is entered into the table correctly.
>
> Insert into members (name) values ('$_POST[name]');

You don't need the quotes here because you want to insert the value of
$_POST['name'] and not the string '$_POST[name]'. Change the line to:

Insert into members (name) values ($_POST['name']);

>
> Now the user submits a trouble ticket from within the site. The process is
> to select the name from the members table and insert it along with the
> ticket, into the tickets table. When this happens, I get an error on the
> insert.
>
> Select name from members where id = $_SESSION[uid];
>
> Insert into tickets (name,problem) values
('$row[name]','$_POST[problem]');

You are always omitting the quotes around your array keys! Change it to:

Select name from members where id = $_SESSION['uid'];
and
Insert into tickets (name,problem) values ($row['name'], $_POST['problem']);

>
> Now I am forced to use addslashes to make it work, as well for the problem
> that they submit.
>
> What is the difference? It seems that if it works one place, then it
should
> work every where?
>
> Or would it matter that name is not a key in the members table but is in
the
> tickets, or Vice Versa?
>
> This is really bugging me.

Please try if those changes solve your problem. Whenever one of your values
will contain a single quote you will get an SQL error - so use addslashes()
or (better) mysql_real_escape_string() on all insert values.

Hope this helps.

Regards, Torsten Roehr

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux