Posted by Jerry Stuckle on 08/09/07 14:46

gosha bine wrote:
> On 09.08.2007 12:42 Sanders Kaufman wrote:
>> I just found out that an app I wrote doesn't allow the user to input
>> apostrophes into the textarea. If they do, the insert/update fails.
>>
>> I'm sure this issue has been done to death - but it's the first time
>> it's come up for me.
>>
>> What I'm doing is something like this:
>>
>> function UpdateRecord($iID, $sContent) {
>
> $sContent = addslashes($sContent);
>

mysql_real_escape_string() is much better for this.

>> $sSQL = "UPDATE MyTable SET content='$sContent' where id=$iID";
>> $bSuccess = RunSQL($sSQL);
>> return $bSuccess;
>> }
>>
>> Is there a simple escape command
>
> Yes, see above
>
>> , or am I going to have to get all into writing some complex handler
>> for apostrophes and whatnot.
>
> For the real-world applications you have to use a complex handler, but
> there's no need to write it, just use an existing library like PDO,
> mysqli etc.
>
>>
>> Note: In this example, I'm *totally* ignoring the threat from SQL
>> injection. I just don't want apostrophes to crash the update/create.
>>
>
>
>


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]