Single quotes in MSSQL

**Toby A Inkster** · Apr 11 '07, 02:55 PM

Re: Single quotes in MSSQL

nick.bonadies wrote:

I'm trying to deal with user inputs of single quotes into form fields
that get input into a MSSQL database. So far I have discovered that
if I turn on magic_quotes_sy base in my php.ini file PHP will correctly
escape the single quotes.

Argh! Don't do that!

Just use str_replace("'" , "''", $data) on data before you send it to the
database and don't do anything on the returned data.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!

**nick.bonadies@gmail.com** · Apr 11 '07, 06:15 PM

Re: Single quotes in MSSQL

On Apr 11, 10:45 am, Toby A Inkster <usenet200...@t obyinkster.co.u k>
wrote:

nick.bonadies wrote:

I'm trying to deal with user inputs of single quotes into form fields
that get input into a MSSQL database. So far I have discovered that
if I turn on magic_quotes_sy base in my php.ini file PHP will correctly
escape the single quotes.

>
Argh! Don't do that!
>
Just use str_replace("'" , "''", $data) on data before you send it to the
database and don't do anything on the returned data.
>
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux
>
* = I'm getting there!

yeah that makes much more sense! thank you!

nick

**nick.bonadies@gmail.com** · Apr 11 '07, 06:25 PM

Re: Single quotes in MSSQL

On Apr 11, 10:45 am, Toby A Inkster <usenet200...@t obyinkster.co.u k>
wrote:

nick.bonadies wrote:

I'm trying to deal with user inputs of single quotes into form fields
that get input into a MSSQL database. So far I have discovered that
if I turn on magic_quotes_sy base in my php.ini file PHP will correctly
escape the single quotes.

>
Argh! Don't do that!
>
Just use str_replace("'" , "''", $data) on data before you send it to the
database and don't do anything on the returned data.
>
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux
>
* = I'm getting there!

Hmm actually, one problem, it works for inputting data but when i get
data back i still get a double single quote, so again my view still
looks like O''Brien, instead of O'Brien. should i just run
str_replace(); on the view? or is there an easier solution?

**Toby A Inkster** · Apr 12 '07, 12:05 AM

Re: Single quotes in MSSQL

nick.bonadies wrote:

Hmm actually, one problem, it works for inputting data but when i get
data back i still get a double single quote, so again my view still
looks like O''Brien, instead of O'Brien.

This means that the actual data in your database has two apostrophes. Fix
that and you'll be sorted.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!

**nick.bonadies@gmail.com** · Apr 12 '07, 03:15 PM

Re: Single quotes in MSSQL

Toby A Inkster wrote:

>
This means that the actual data in your database has two apostrophes. Fix
that and you'll be sorted.
>

Correct, but when I use str_replace("'" , "''", $data); to replace
single quotes in my data, it adds the extra quote to the database
entry.... i guess i'm doing something very wrong... thanks so much
for your help thus far!

**nick.bonadies@gmail.com** · Apr 12 '07, 03:35 PM

Re: Single quotes in MSSQL

Toby A Inkster wrote:

>
This means that the actual data in your database has two apostrophes. Fix
that and you'll be sorted.

Here is some sample code:

$queryAddRecord = "INSERT INTO tbl_employees(f irstName, lastName)
VALUES(";
if (!empty($_POST['firstName']))
{
$queryAddRecord .= "'".$_POST['firstName']."',";
}
else {$queryAddRecor d .="Null,";}

if (!empty($_POST['lastName']))
{
$queryAddRecord .= '"'.str_replace ("'", "''",
$_POST['lastName']).'",';
}
else {$queryAddRecor d .="Null,";}
$dbresults = mssql_query($qu eryAddRecord);

So if you feed that Erin O'Brien, it inputs Erin for the first name
and O''Brien as the last name. Then when i call it back i use
something like this:

<?php
$queryFullTimee mployees = "SELECT firstName, lastName FROM
tbl_employees ORDER BY lastName ASC";
$dbFullTime = mssql_query($qu eryFullTimeempl oyees);
?>

then display the records:

<table>
<?php
// List the departments from the DB
//display the results
while($row = mssql_fetch_arr ay($dbFullTime) ){
$pageAddress = "employees_edit .php?id=".trim( $row['id']);
echo "<tr>
<td>".trim($r ow['lastName'])."</td>
<td>".trim($r ow['firstName'])."</td>
</tr>" ;
}
?>
</table>

**nick.bonadies@gmail.com** · Apr 12 '07, 06:25 PM

Re: Single quotes in MSSQL

$queryAddRecord = "INSERT INTO tbl_employees(f irstName, lastName)
VALUES(";
if (!empty($_POST['firstName']))
{
$queryAddRecord .= "'".$_POST['firstName']."',";
}
else {$queryAddRecor d .="Null,";}
>
if (!empty($_POST['lastName']))
{
$queryAddRecord .= '"'.str_replace ("'", "''",
$_POST['lastName']).'",';
}

I figured it out. Its the '"' part, it should be "'".str_replace ....

Thanks for the help! I appreciate it.

Single quotes in MSSQL

Single quotes in MSSQL

Comment

Comment

Comment

Comment

Comment

Comment

Comment