Posted by gosha bine on 08/09/07 14:27

On 09.08.2007 12:42 Sanders Kaufman wrote:
> I just found out that an app I wrote doesn't allow the user to input
> apostrophes into the textarea. If they do, the insert/update fails.
>
> I'm sure this issue has been done to death - but it's the first time
> it's come up for me.
>
> What I'm doing is something like this:
>
> function UpdateRecord($iID, $sContent) {

$sContent = addslashes($sContent);

> $sSQL = "UPDATE MyTable SET content='$sContent' where id=$iID";
> $bSuccess = RunSQL($sSQL);
> return $bSuccess;
> }
>
> Is there a simple escape command

Yes, see above

>, or am I going to have to get all into
> writing some complex handler for apostrophes and whatnot.

For the real-world applications you have to use a complex handler, but
there's no need to write it, just use an existing library like PDO,
mysqli etc.

>
> Note: In this example, I'm *totally* ignoring the threat from SQL
> injection. I just don't want apostrophes to crash the update/create.
>



--
gosha bine

makrell ~ http://www.tagarga.com/blok/makrell
php done right ;) http://code.google.com/p/pihipi

[Back to original message]