Stuck in apostrophe hell
in [Databases]
|
Prev: downloading badges and putting it on any websites.
Next: PHP application hosted on a dektop ubuntu(localhost) vs A .NET software installed on Windows
From: David Robley on 3 Aug 2010 21:24 Paul_S_Johnson(a)mnb.uscourts.gov wrote: > Yes, I may have mixed up the input and output from different iterations of > running it. Let me try posting this again although it may not be an issue. > Once again if I enter two sequential apostrophes in the name (O''Brien) > the INSERT passes right through to MySQL without an error. > > THE INPUT: > > $sql_insert_registration = sprintf("INSERT INTO > Registrations ( > Class_ID, > prid, > Registrant, > Company, > Phone, > ) > VALUES ( > $_POST[Class_ID], > $_POST[prid], > '%s',". > parseNull($_POST['Company']).", > '$_POST[Phone]', > '$_POST[Email]' > )", mysql_real_escape_string($_POST['Registrant'])); > > echo "<pre>$_POST['Registrant".$_POST["Registrant"]."</pre>"; > echo "<pre>".mysql_real_escape_string($_POST["Registrant"])."</pre>"; > echo "<pre>".$sql_insert_registration."</pre>"; > > > THE OUTPUT: > > Brian O'Brien > Brian O\'Brien > INSERT INTO > Registrations ( > Class_ID, > prid, > Registrant, > Company, > Phone, > ) > VALUES ( > 355, > 257, > 'Brian O\'Brien',NULL, > '612-456-5678', > 'somebody(a)somewhere.org' > ) > Error: You have an error in your SQL syntax; check the manual that > corresponds to your MySQL server version for the right syntax to use near > 'Brien', 'Class registration confirmation', ' This email ' at line 16 > > > Paul S. Johnson > U.S. Bankruptcy Court > District of Minnesota > paul_s_johnson(a)mnb.uscourts.gov > 612-664-5276 Check the settings for magic-quotes, and make sure you aren't using stripslashes somewhere? Also, echo the actual query that is being passed to mysql to check what is happening. Cheers -- David Robley Life is Roff when yer Stewpid Today is Sweetmorn, the 70th day of Confusion in the YOLD 3176.
From: Simcha Younger on 4 Aug 2010 03:19 > Paul_S_Johnson(a)mnb.uscourts.gov wrote: > > > > THE INPUT: > > > > $sql_insert_registration = sprintf("INSERT INTO > > Registrations ( > > Class_ID, > > prid, > > Registrant, > > Company, > > Phone, > > ) > > VALUES ( > > $_POST[Class_ID], > > $_POST[prid], > > '%s',". You need double-quotes here, \"%s\", > > parseNull($_POST['Company']).", > > '$_POST[Phone]', > > '$_POST[Email]' > > )", mysql_real_escape_string($_POST['Registrant'])); > > -- Simcha Younger <simcha(a)syounger.com>
From: "Ford, Mike" on 4 Aug 2010 04:20 > -----Original Message----- > From: Simcha Younger [mailto:simcha(a)syounger.com] > Sent: 04 August 2010 08:19 > > > Paul_S_Johnson(a)mnb.uscourts.gov wrote: > > > > > > > THE INPUT: > > > > > > $sql_insert_registration = sprintf("INSERT INTO > > > Registrations ( > > > Class_ID, > > > prid, > > > Registrant, > > > Company, > > > Phone, > > > ) > > > VALUES ( > > > $_POST[Class_ID], > > > $_POST[prid], > > > '%s',". > > You need double-quotes here, > \"%s\", No, he doesn't. Single quotes are fine. Doubles would more than likely be a SQL error. > > > parseNull($_POST['Company']).", > > > '$_POST[Phone]', > > > '$_POST[Email]' > > > )", mysql_real_escape_string($_POST['Registrant'])); > > > > > > -- > Simcha Younger <simcha(a)syounger.com> Cheers! Mike -- Mike Ford, Electronic Information Developer, Libraries and Learning Innovation, Leeds Metropolitan University, C507 City Campus, Woodhouse Lane, LEEDS, LS1 3HE, United Kingdom Email: m.ford(a)leedsmet.ac.uk Tel: +44 113 812 4730 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm
From: Paul_S_Johnson on 4 Aug 2010 10:16
OK, I figured it out. I followed the advice here to turn on MySQL logging (which took more doing that it should have), so I could see what's really being sent to MySQL. It wasn't choking on the query I posted in my message but a later one in which the string was not escaped. The red herring that led me astray was the line no. indicated in the error message that pointed to the query I posted (or at least seemed to). Anyway, thanks for the tips that got me pointed in the right direction. Paul Paul S. Johnson |