SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Member
    Join Date
    Dec 2004
    Location
    Texas
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Oracle insert troubles

    I'm having a problem that I can't seem to figure out, I pose it to you guys with much appreciation in advance

    I'm trying to do an insert into a table from PHP.

    Let's say the table is defined as:

    Code:
    field_id  number
    field_text  varchar2(255)
    I'm doing an insert into it, my sql statement is created as:

    Code:
    insert into mytable (field_id, field_text) values (1,"Then she said, \"BOO!\"");
    It fails in php with:

    Code:
    Warning: oci_parse() [function.oci-parse]: OCIParse: ORA-01740: missing double quote in identifier in c:\program files\Apache\Apache\htdocs\parms\com\common.php on line 476
    
    Warning: oci_execute(): supplied argument is not a valid OCI8-Statement resource in c:\program files\Apache\Apache\htdocs\parms\com\common.php on line 477
    and spits out my insert statement that failed.

    When I copy the insert statement, and move it over to SQL*Plus Worksheet, it's apparently reading up to the first double quote (the one that is slashed, right before BOO!) and it's closing the quote there... It's reading the rest of the line (BOO! on) as yet another column..

    So apparently Oracle doesn't recognize escaped double quotes.

    The field that is being inserted in my query is a textarea that people can freely enter text, and I want them to be able to use double quotes, how can I insert a double quote into the table?

    Thanks again, in advance,
    Runnin

  2. #2
    SQL Consultant gold trophysilver trophybronze trophy
    r937's Avatar
    Join Date
    Jul 2002
    Location
    Toronto, Canada
    Posts
    39,341
    Mentioned
    63 Post(s)
    Tagged
    3 Thread(s)
    that's right, oracle doesn't understand php syntax

    what you want is --
    Code:
    insert into mytable (field_id, field_text) 
    values (1,'Then Mrs. O''Toole said, "BOO!"')
    note if people can enter anything, then you must
    1) guard against sql injection, and
    2) replace each inline single quote with two of them
    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL
    "giving out my real stuffs"

  3. #3
    SitePoint Member
    Join Date
    Dec 2004
    Location
    Texas
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    so is it not necessary to addslashes() before inserting, rather just sub all ' with '' ?

    I'll look into the sql injection.

    thanks!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •