Stuck in apostrophe hell
in [Databases]
|
Prev: downloading badges and putting it on any websites.
Next: PHP application hosted on a dektop ubuntu(localhost) vs A .NET software installed on Windows
From: Paul_S_Johnson on 3 Aug 2010 09:04 Yes, I may have mixed up the input and output from different iterations of running it. Let me try posting this again although it may not be an issue. Once again if I enter two sequential apostrophes in the name (O''Brien) the INSERT passes right through to MySQL without an error. THE INPUT: $sql_insert_registration = sprintf("INSERT INTO Registrations ( Class_ID, prid, Registrant, Company, Phone, ) VALUES ( $_POST[Class_ID], $_POST[prid], '%s',". parseNull($_POST['Company']).", '$_POST[Phone]', '$_POST[Email]' )", mysql_real_escape_string($_POST['Registrant'])); echo "<pre>$_POST['Registrant".$_POST["Registrant"]."</pre>"; echo "<pre>".mysql_real_escape_string($_POST["Registrant"])."</pre>"; echo "<pre>".$sql_insert_registration."</pre>"; THE OUTPUT: Brian O'Brien Brian O\'Brien INSERT INTO Registrations ( Class_ID, prid, Registrant, Company, Phone, ) VALUES ( 355, 257, 'Brian O\'Brien',NULL, '612-456-5678', 'somebody(a)somewhere.org' ) Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Brien', 'Class registration confirmation', ' This email ' at line 16 Paul S. Johnson U.S. Bankruptcy Court District of Minnesota paul_s_johnson(a)mnb.uscourts.gov 612-664-5276
From: Peter Lind on 3 Aug 2010 09:08 On 3 August 2010 15:04, <Paul_S_Johnson(a)mnb.uscourts.gov> wrote: > Yes, I may have mixed up the input and output from different iterations of > running it. Let me try posting this again although it may not be an issue.. > Once again if I enter two sequential apostrophes in the name (O''Brien) > the INSERT passes right through to MySQL without an error. > > THE INPUT: > > $sql_insert_registration = sprintf("INSERT INTO > Â Registrations ( > Â Â Class_ID, > Â Â prid, > Â Â Registrant, > Â Â Company, > Â Â Phone, > Â Â Email > Â ) > VALUES ( > Â Â $_POST[Class_ID], > Â Â $_POST[prid], > Â Â '%s',". > Â Â parseNull($_POST['Company']).", > Â Â '$_POST[Phone]', > Â Â '$_POST[Email]' > )", mysql_real_escape_string($_POST['Registrant'])); > > echo "<pre>$_POST['Registrant".$_POST["Registrant"]."</pre>"; > echo "<pre>".mysql_real_escape_string($_POST["Registrant"])."</pre>"; > echo "<pre>".$sql_insert_registration."</pre>"; > > > THE OUTPUT: > > Brian O'Brien > Brian O\'Brien > INSERT INTO > Â Registrations ( > Â Â Class_ID, > Â Â prid, > Â Â Registrant, > Â Â Company, > Â Â Phone, > Â Â Email > Â ) > VALUES ( > Â Â 355, > Â Â 257, > Â Â 'Brian O\'Brien',NULL, > Â Â '612-456-5678', > Â Â 'somebody(a)somewhere.org' > ) > Error: You have an error in your SQL syntax; check the manual that > corresponds to your MySQL server version for the right syntax to use near > 'Brien', 'Class registration confirmation', ' This email ' at line 16 > Strangely, you have still failed to provide the input that is actually sent to mysql. Look at the error code: "... for the right syntax to use near 'Brien', 'Class registration confirmation', ' This email '" - "Class registration confirmation" does not appear anywhere in the output section you posted but it appears in the mysql error. I'd do as Bret suggested and turn on query logging in mysql to see what is actually received. Regards Peter -- <hype> WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 </hype>
From: Chris on 3 Aug 2010 18:44 On 03/08/10 23:04, Paul_S_Johnson(a)mnb.uscourts.gov wrote: > Yes, I may have mixed up the input and output from different iterations of > running it. Let me try posting this again although it may not be an issue. > Once again if I enter two sequential apostrophes in the name (O''Brien) > the INSERT passes right through to MySQL without an error. > > THE INPUT: > > $sql_insert_registration = sprintf("INSERT INTO > Registrations ( > Class_ID, > prid, > Registrant, > Company, > Phone, > ) > VALUES ( > $_POST[Class_ID], ^^^^^^ needs a mysql_real_escape_string or validation to make sure it's an integer > $_POST[prid], ^^^^^^ needs a mysql_real_escape_string or validation to make sure it's an integer > '%s',". ^^^^^^ has a mysql_real_escape_string, but it's the only one. > parseNull($_POST['Company']).", Without knowing what this function does, it's hard to say what this needs. > '$_POST[Phone]', ^^^^^^ needs a mysql_real_escape_string > '$_POST[Email]' ^^^^^^ needs a mysql_real_escape_string > )", mysql_real_escape_string($_POST['Registrant'])); This has already all been pointed out previously. -- Postgresql & php tutorials http://www.designmagick.com/
From: Karl DeSaulniers on 3 Aug 2010 20:24 On Aug 3, 2010, at 8:08 AM, Peter Lind wrote: > On 3 August 2010 15:04, <Paul_S_Johnson(a)mnb.uscourts.gov> wrote: >> Yes, I may have mixed up the input and output from different >> iterations of >> running it. Let me try posting this again although it may not be >> an issue. >> Once again if I enter two sequential apostrophes in the name >> (O''Brien) >> the INSERT passes right through to MySQL without an error. >> >> THE INPUT: >> >> $sql_insert_registration = sprintf("INSERT INTO >> Registrations ( >> Class_ID, >> prid, >> Registrant, >> Company, >> Phone, >> ) >> VALUES ( >> $_POST[Class_ID], >> $_POST[prid], >> '%s',". >> parseNull($_POST['Company']).", >> '$_POST[Phone]', >> '$_POST[Email]' >> )", mysql_real_escape_string($_POST['Registrant'])); >> >> echo "<pre>$_POST['Registrant".$_POST["Registrant"]."</pre>"; >> echo "<pre>".mysql_real_escape_string($_POST["Registrant"])."</pre>"; >> echo "<pre>".$sql_insert_registration."</pre>"; >> >> >> THE OUTPUT: >> >> Brian O'Brien >> Brian O\'Brien >> INSERT INTO >> Registrations ( >> Class_ID, >> prid, >> Registrant, >> Company, >> Phone, >> ) >> VALUES ( >> 355, >> 257, >> 'Brian O\'Brien',NULL, >> '612-456-5678', >> 'somebody(a)somewhere.org' >> ) >> Error: You have an error in your SQL syntax; check the manual that >> corresponds to your MySQL server version for the right syntax to >> use near >> 'Brien', 'Class registration confirmation', ' This email ' at line 16 >> > > Strangely, you have still failed to provide the input that is actually > sent to mysql. Look at the error code: "... for the right syntax to > use near 'Brien', 'Class registration confirmation', ' This email '" - > "Class registration confirmation" does not appear anywhere in the > output section you posted but it appears in the mysql error. > I'd do as Bret suggested and turn on query logging in mysql to see > what is actually received. > > Regards > Peter > > -- > <hype> > WWW: http://plphp.dk / http://plind.dk > LinkedIn: http://www.linkedin.com/in/plind > BeWelcome/Couchsurfing: Fake51 > Twitter: http://twitter.com/kafe15 > </hype> > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > Can't you just.. VALUES = mysql_real_escape(VALUES); before submitting or something similar? maybe urlencode Karl DeSaulniers Design Drumm http://designdrumm.com
From: Karl DeSaulniers on 3 Aug 2010 20:31
On Aug 3, 2010, at 5:44 PM, Chris wrote: > On 03/08/10 23:04, Paul_S_Johnson(a)mnb.uscourts.gov wrote: >> Yes, I may have mixed up the input and output from different >> iterations of >> running it. Let me try posting this again although it may not be >> an issue. >> Once again if I enter two sequential apostrophes in the name >> (O''Brien) >> the INSERT passes right through to MySQL without an error. >> >> THE INPUT: >> >> $sql_insert_registration = sprintf("INSERT INTO >> Registrations ( >> Class_ID, >> prid, >> Registrant, >> Company, >> Phone, >> ) >> VALUES ( >> $_POST[Class_ID], > > ^^^^^^ needs a mysql_real_escape_string or validation to make sure > it's an integer > >> $_POST[prid], > > ^^^^^^ needs a mysql_real_escape_string or validation to make sure > it's an integer > >> '%s',". > > ^^^^^^ has a mysql_real_escape_string, but it's the only one. > >> parseNull($_POST['Company']).", > > Without knowing what this function does, it's hard to say what this > needs. > >> '$_POST[Phone]', > > ^^^^^^ needs a mysql_real_escape_string > >> '$_POST[Email]' > > ^^^^^^ needs a mysql_real_escape_string > >> )", mysql_real_escape_string($_POST['Registrant'])); > > > This has already all been pointed out previously. > > > -- > Postgresql & php tutorials > http://www.designmagick.com/ > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > didnt see this post, was in my spam folder Karl DeSaulniers Design Drumm http://designdrumm.com |