Ask a Question related to MySQL, Design and Development.
-
Pat #1
how to prevent inputting quotation mark (')?
Hi,
I made a form where visitors can introduce data.
I use this:
strsql="INSERT INTO mytable (field1,field2 ...) values('" & lol & "',#" &
dat & ...)"
My problem is that when someone introduces a quotation mark, i get a error
and the insert fails (e.g. nam'e).
How can i prevent that? Controling each entered character seems me to be a
very big work ...
Pat Guest
-
Quotation mark (") after installing FlashPlayer-TechNote Solution not working
:sad; I get the evil quotation mark (") after trying to install Flash Player. I tried to delete the "Safe Versions" folder in the registry and... -
Inputting Chinese Fonts
Hi ! I am trying to use the Text Tool to input chinese fonts into my design. But even after reinstalling Illustrator 10 with CMap support and... -
how can I store a quotation mark as text?
Hello, I have the following list: forbiddenChars = list("*","<",">","/","\","?",":","|","QUOTATIONMARK") you see my problem: I want to store... -
problems with strings and " in asp: how to use the the quotation mark correctly?
Hello, I have problems with the quotation mark and strings in my asp script. I made a general FORM (myform.asp) to read out data from a dbase ... -
how to prevent prevent .so-calling routine to crash from segfaults in .so
Hi, Guys I am stuck with a problem and need some help. Platform : Linux(RedHat 7.3) Problem Area : Dynamic Shared Object Libraries, POSIX... -
Martijn Tonies #2 Re: how to prevent inputting quotation mark (')?
Use prepared statements.> I made a form where visitors can introduce data.
> I use this:
> strsql="INSERT INTO mytable (field1,field2 ...) values('" & lol & "',#" &
> dat & ...)"
>
> My problem is that when someone introduces a quotation mark, i get a error
> and the insert fails (e.g. nam'e).
>
> How can i prevent that?
I believe MySQL has a function for that in the API ...>Controling each entered character seems me to be a
> very big work ...
mysql_escape_string or something.
--
Martijn Tonies
Database Workbench - tool for InterBase, Firebird, MySQL, Oracle & MS SQL
Server
Upscene Productions
[url]http://www.upscene.com[/url]
Database development questions? Check the forum!
[url]http://www.databasedevelopmentforum.com[/url]
Martijn Tonies Guest
-
Mike #3 Re: how to prevent inputting quotation mark (')?
Can't you use the replace function (replacing the quotation mark with
an empty string).
strsql = "INSERT INTO mytable (field1) values (replace(" & lol & ",
char(39), ''))"
Mike Guest
-
Martijn Tonies #4 Re: how to prevent inputting quotation mark (')?
> Can't you use the replace function (replacing the quotation mark with
Well, although that might solve the quote problem, it does change> an empty string).
>
> strsql = "INSERT INTO mytable (field1) values (replace(" & lol & ",
> char(39), ''))"
the data being saved.
For example, if this was an application that keeps user accounts
and my name was O'Malley -- I would not be amused if it saved
my name as O Malley...
If the user want's to input a ' and it makes sense, then allow the
user to do so. You shouldn't modify data before it is inserted
into the database if the data is valid in the given domain. (eg:
` is not valid in numbers, obviously )
--
Martijn Tonies
Database Workbench - tool for InterBase, Firebird, MySQL, Oracle & MS SQL
Server
Upscene Productions
[url]http://www.upscene.com[/url]
Database development questions? Check the forum!
[url]http://www.databasedevelopmentforum.com[/url]
Martijn Tonies Guest
-
Bill Karwin #5 Re: how to prevent inputting quotation mark (')?
"Pat" <wfdvbf@dfg.cv> wrote in message
news:W7SdnbCqr7ggTkXeRVnygg@scarlet.biz...Quote characters can be escaped so that they can be used in SQL strings by> I made a form where visitors can introduce data.
> I use this:
> strsql="INSERT INTO mytable (field1,field2 ...) values('" & lol & "',#" &
> dat & ...)"
>
> My problem is that when someone introduces a quotation mark, i get a error
> and the insert fails (e.g. nam'e).
using the backslash (\) character. E.g. INSERT INTO mytable VALUES
('O\'Malley')
Also these characters can be encoded according to standard SQL as two quote
characters:
INSERT INTO mytable VALUES ('O''Malley')
See [url]http://dev.mysql.com/doc/refman/5.0/en/string-syntax.html[/url].
Instead of filtering the string yourself, Perl and PHP offer API functions
to "encode" strings to be friendly to SQL syntax. In Perl DBI the function
is $dbh->quote($value), and in PHP it's mysql_escape_string().
See these pages for more information:
[url]http://www.oreilly.com/catalog/perldbi/chapter/ch04.html[/url] (for Perl DBI)
[url]http://us3.php.net/mysql_escape_string[/url] (for PHP)
The other method (which Martijn mentioned) is to send string values as
parameters to a prepared statement. See this article for more information:
[url]http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html[/url]
When sending strings as parameters, you don't need to escape special
characters.
Regards,
Bill K.
Bill Karwin Guest
-
Terry #6 Re: how to prevent inputting quotation mark (')?
Pat wrote:
$field1=eregi_replace("[^-a-z0-9.() ,]*","",$field1);> Hi,
>
> I made a form where visitors can introduce data.
> I use this:
> strsql="INSERT INTO mytable (field1,field2 ...) values('" & lol & "',#" &
> dat & ...)"
>
> My problem is that when someone introduces a quotation mark, i get a error
> and the insert fails (e.g. nam'e).
>
> How can i prevent that? Controling each entered character seems me to be a
> very big work ...
is one way that works. That will remove any character except an
alphanumeric, dash (-), period (.), parenthesis (()), space ( ), or
comma (,). Adjust as you see fit.
See also stripslashes().
HTH
--
TK
[url]http://www.wejuggle2.com/[/url]
Still Having a Ball
A: Because it messes up the order in which people normally read text.
Q: Why is it such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet?
..
----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
[url]http://www.newsfeeds.com[/url] The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----
Terry Guest
-
Jim Michaels #7 Re: how to prevent inputting quotation mark (')?
"Martijn Tonies" <m.tonies@upscene.removethis.com> wrote in message
news:11tid05f5sgjd8a@corp.supernews.com...mysql_escape_string() and mysql_real_escape_string() saves the ' and " but>>> Can't you use the replace function (replacing the quotation mark with
>> an empty string).
>>
>> strsql = "INSERT INTO mytable (field1) values (replace(" & lol & ",
>> char(39), ''))"
> Well, although that might solve the quote problem, it does change
> the data being saved.
>
> For example, if this was an application that keeps user accounts
> and my name was O'Malley -- I would not be amused if it saved
> my name as O Malley...
escapes them with a preceding \
BUT it doesn't handle ; so you will have to strip that one out yourself.
all these are used with SQL INJECTION, something you don't want, so I
suggest you escape your incoming data string variable.
>
> If the user want's to input a ' and it makes sense, then allow the
> user to do so. You shouldn't modify data before it is inserted
> into the database if the data is valid in the given domain. (eg:
> ` is not valid in numbers, obviously )
>
>
>
> --
> Martijn Tonies
> Database Workbench - tool for InterBase, Firebird, MySQL, Oracle & MS SQL
> Server
> Upscene Productions
> [url]http://www.upscene.com[/url]
> Database development questions? Check the forum!
> [url]http://www.databasedevelopmentforum.com[/url]
>
>
>
Jim Michaels Guest
-
Unregistered #8 Re: how to prevent inputting quotation mark (')?
It saves it fine, but then on retrieval or display, php displays the "" as quetion marks(?) any help on display
Unregistered Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
