escaping characters in php and mysql - help

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • leegold2
    #1

    escaping characters in php and mysql - help


    // This statement below inserting one field works:
    // mysql_query("IN SERT INTO page (page_url) VALUES (\"$url_field\" )");

    But I wanted to insert into two fields so I was trying all sorts of
    escaping. See below...there must be an easier way?! I also cite the
    syntax error - Thanks very much.

    mysql_query("IN SERT INTO page (page_url, title) VALUES
    ( \"$url_inser t . "\", "." \"$title_fie ld "." "\")");

    I don't understand how to escape but I got to believe there's an easier
    way? Thanks!

    Error message
    C:\Program Files\Apache Group\Apache2\h tdocs>php -l populate2.php
    <br />
    <b>Warning</b>: Unexpected character in input: '\' (ASCII=92) state=1
    in <b>C:\Program Files\Apache Group\Apache2\h tdocs\populate2 .php</b> on
    line <b>56</b><br />
    <br />
    <b>Parse error</b>: parse error, unexpected T_CONSTANT_ENCA PSED_STRING
    in <b>C:\Program Files\Apache Group\Apache2\h tdocs\populate2 .php</b> on
    line <b>56</b><br />
    Errors parsing populate2.php
    Tags: None
    • Chris Hope
      #2
      Re: escaping characters in php and mysql - help

      leegold2 wrote:
      [color=blue]
      >
      > // This statement below inserting one field works:
      > // mysql_query("IN SERT INTO page (page_url) VALUES (\"$url_field\" )");
      >
      > But I wanted to insert into two fields so I was trying all sorts of
      > escaping. See below...there must be an easier way?! I also cite the
      > syntax error - Thanks very much.
      >
      > mysql_query("IN SERT INTO page (page_url, title) VALUES
      > ( \"$url_inser t . "\", "." \"$title_fie ld "." "\")");
      >
      > I don't understand how to escape but I got to believe there's an easier
      > way? Thanks![/color]

      MySQL supports single quotes around column values as well double quotes so
      you can instead do it this way:

      mysql_query("
      INSERT INTO page (page_url, title)
      VALUES ('$url_insert', '$title_field')
      ");

      Much tidier and easier to read.

      Note that if you're accepting stuff from the browser and inserting it
      directly into the database you need to first escape the values. Do a Google
      search on sql injection to learn more:
      sql injection - Google Suche
      http://www.google.co.nz/search?q=sql+injection


      --
      Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/

        Comment

        Previous template Next
        Working...