SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Guru Angry Coder's Avatar
    Join Date
    May 2002
    Location
    Canada
    Posts
    599
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Angry Error when adding ' to MySQL using PHP

    Hello,

    I am getting an error message when I am adding this sign: ' to a record in a MySQL table using PHP.

    What's wrong and what's the best way to fix that?

    Please help. Thanks.
    Why It Doesn't Work?!

  2. #2
    He's No Good To Me Dead silver trophybronze trophy stymiee's Avatar
    Join Date
    Feb 2003
    Location
    Slave I
    Posts
    23,424
    Mentioned
    2 Post(s)
    Tagged
    1 Thread(s)
    you need to esacpe it using mysql_real_escape_string which you should be doing with all data going into your database.

  3. #3
    SitePoint Evangelist
    Join Date
    Apr 2006
    Location
    Halifax, Canada
    Posts
    498
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by stymiee
    you need to esacpe it using mysql_real_escape_string which you should be doing with all data going into your database.
    I second this. Not only does it prevent errors like this, it is a security risk if you don't. For example, if I put in a record that said
    PHP Code:
    " ' DROP DATABASE `users`;" 
    , I could really cause some damage. I believe the newest version of PHP or MYSQL prevents this scenario by only allowing one command per query, but the user could still potentially take advantage of the insecure code.

  4. #4
    Non-Member Icheb's Avatar
    Join Date
    Mar 2003
    Location
    Germany
    Posts
    1,474
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Angry Coder
    Hello,

    I am getting an error message when I am adding this sign: ' to a record in a MySQL table using PHP.

    What's wrong and what's the best way to fix that?

    Please help. Thanks.
    This sign ' is called an Apostrophe.

    Quote Originally Posted by paulgb
    I believe the newest version of PHP or MYSQL prevents this scenario by only allowing one command per query, but the user could still potentially take advantage of the insecure code.
    It's actually the other way round. It was always coded in a way that mysql_query() would only allow one, but now there's a function to use more than one.

  5. #5
    SitePoint Evangelist
    Join Date
    Apr 2006
    Location
    Halifax, Canada
    Posts
    498
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Icheb
    This sign ' is called an [size=6]Apostrophe[size=2].
    In this case, its a single quote ' , not an apostrophe.

    Apostrophie would be this one `

  6. #6
    SitePoint Enthusiast
    Join Date
    Jun 2004
    Location
    dublin, Ireland
    Posts
    77
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I call that one ` a backtick
    this ' was an apostrophe until I started using php.

  7. #7
    SitePoint Guru Angry Coder's Avatar
    Join Date
    May 2002
    Location
    Canada
    Posts
    599
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Parlez-vous franšais?
    Why It Doesn't Work?!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •