SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Wizard Busch's Avatar
    Join Date
    Jan 2004
    Posts
    1,072
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Quote problems INSERTing with ADOdb

    I am just learning how to use ADOdb so I can safely and securely handle my DB queries.

    I am using data binding for all of my queries because I read here that, "String quoting is not necessary when using bind variables, nor is escaping of special characters within a string value."

    But no matter what I do, my INSERT is improperly escaping data inserted to the database.

    Here's the script I am testing, the results, Debug and more server info are below. What am I doing wrong?

    SCRIPT:
    PHP Code:
    <html>
    <head>
        <title>INSERT test</title>
    </head>
    <body>

    <?php
    // Include ADOdb Database Abstraction Library
    include('adodb/adodb.inc.php');

    // Connect to Database
    $db ADONewConnection('mysql'); # eg. 'mysql' or 'oci8' 
    $db->debug true;
    $db->Connect('none','of','your','beeswax');

    // Get resultset as associative array
    $ADODB_FETCH_MODE ADODB_FETCH_ASSOC;

    // Are there any post values
    if ($_POST['action'] == 'do_insert') {

        
    // Build INSERT query
        
    $sql "
            INSERT INTO test_table (title, description)
            VALUES (?, ?)
        "
    ;
        
        
    // Set the values for the insert
        
    $values = array($_POST['title'], $_POST['description']);
        
        
    // Execute the query
        
    $result $db->Execute($sql$values) or die("Error in query: $sql: " $db->ErrorMsg());
        
        
    // If query was successful, show new row
        
    if ($result) {
        
            
    $get_sql "SELECT * FROM test_table WHERE id = ?";
            
    $get_values = array($db->Insert_Id());
            
    $row $db->GetRow($get_sql$get_values) or die("Error in query: $get_sql: " $db->ErrorMsg());
            
            echo 
    '<b>id: </b>'             $row['id'] . '<br />';
            echo 
    '<b>title: </b>'         $row['title'] . '<br />';
            echo 
    '<b>description: </b>' $row['description'] . '<br />';
        } 
    }
    ?>


    <form method="post">
        <input name="action" type="hidden" value="do_insert">
        Title:<br /><input name="title" type="text"><br />
        Description:<br /><textarea name="description"></textarea><br />
        <input type="submit" value="Submit">
    </form>

    </body>
    </html>
    DEBUG:
    (mysql): INSERT INTO test_table (title, description) VALUES ('It\\\'s my \\\"Second Test\\\"', 'But it\\\'s still not \\\"working\\\"!')
    (mysql): SELECT LAST_INSERT_ID()
    (mysql): SELECT * FROM test_table WHERE id = '2'

    OUTPUT:
    id: 2
    title: It\'s my \"Second Test\"
    description: But it\'s still not \"working\"!

    SERVER INFO:
    magic_quotes_gpc On
    magic_quotes_sybase Off

  2. #2
    reads the ********* Crier silver trophybronze trophy longneck's Avatar
    Join Date
    Feb 2004
    Location
    Tampa, FL (US)
    Posts
    9,854
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    what do YOU think the problem is? hint: it's the second-to-last line of your post.

  3. #3
    SitePoint Wizard Busch's Avatar
    Join Date
    Jan 2004
    Posts
    1,072
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Of course I thought the problem was related to magic_quotes (that's why i mentioned it) but:

    1. How do you build a query to use on a server with magic_quotes turned ON or OFF?

    2. And why in the world does ADOdb not take this into consideration? I know it's being turned OFF by default in new releases of PHP but it doesn't make any sense that ADOdb does not check it by default. It's mind boggling to me but maybe I am missing something... (there's always a good chance of that...)

  4. #4
    reads the ********* Crier silver trophybronze trophy longneck's Avatar
    Join Date
    Feb 2004
    Location
    Tampa, FL (US)
    Posts
    9,854
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    1. look at the mysql page for magic_quotes. there are a couple of good functions for undoing magic_quotes. use one of those.

    2. not all data passed to a query comes directly from $_POST or $_GET, so checking the status of magic_quotes and removing the slashes if needed would not always be appropriate.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •