Re: Re: Stuck in apostrophe hell

[Karl DeSaulniers <karl@xxxxxxxxxxxxxxx>]

On Aug 3, 2010, at 8:08 AM, Peter Lind wrote:

> On 3 August 2010 15:04,  <Paul_S_Johnson@xxxxxxxxxxxxxxxx> wrote:
> > Yes, I may have mixed up the input and output from different  
> > iterations of
> > running it. Let me try posting this again although it may not be  
> > an issue.
> > Once again if I enter two sequential apostrophes in the name  
> > (O''Brien)
> > the INSERT passes right through to MySQL without an error.
> >
> > THE INPUT:
> >
> > $sql_insert_registration = sprintf("INSERT INTO
> >  Registrations (
> >    Class_ID,
> >    prid,
> >    Registrant,
> >    Company,
> >    Phone,
> >    Email
> >  )
> > VALUES (
> >    $_POST[Class_ID],
> >    $_POST[prid],
> >    '%s',".
> >    parseNull($_POST['Company']).",
> >    '$_POST[Phone]',
> >    '$_POST[Email]'
> > )", mysql_real_escape_string($_POST['Registrant']));
> >
> > echo "<pre>$_POST['Registrant".$_POST["Registrant"]."</pre>";
> > echo "<pre>".mysql_real_escape_string($_POST["Registrant"])."</pre>";
> > echo "<pre>".$sql_insert_registration."</pre>";
> >
> >
> > THE OUTPUT:
> >
> > Brian O'Brien
> > Brian O\'Brien
> > INSERT INTO
> >  Registrations (
> >    Class_ID,
> >    prid,
> >    Registrant,
> >    Company,
> >    Phone,
> >    Email
> >  )
> > VALUES (
> >    355,
> >    257,
> >    'Brian O\'Brien',NULL,
> >    '612-456-5678',
> >    'somebody@xxxxxxxxxxxxx'
> > )
> > Error: You have an error in your SQL syntax; check the manual that
> > corresponds to your MySQL server version for the right syntax to  
> > use near
> > 'Brien', 'Class registration confirmation', ' This email ' at line 16
>
> Strangely, you have still failed to provide the input that is actually
> sent to mysql. Look at the error code: "... for the right syntax to
> use near 'Brien', 'Class registration confirmation', ' This email '" -
> "Class registration confirmation" does not appear anywhere in the
> output section you posted but it appears in the mysql error.
>  I'd do as Bret suggested and turn on query logging in mysql to see
> what is actually received.
>
> Regards
> Peter
>
> --
> <hype>
> WWW: http://plphp.dk / http://plind.dk
> LinkedIn: http://www.linkedin.com/in/plind
> BeWelcome/Couchsurfing: Fake51
> Twitter: http://twitter.com/kafe15
> </hype>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
Can't you just..

VALUES = mysql_real_escape(VALUES);
before submitting
or something similar?

maybe urlencode

Karl DeSaulniers
Design Drumm
http://designdrumm.com


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php