[K12OSN] Help with php / mysql
Patrick Fleming
k12ltsp at rwcinc.net
Wed Feb 4 12:50:46 UTC 2009
Brian Chivers wrote:
> I'm trying to insert the text below into a mysql table but it's
> complaining, I think it's the ' that's causing the problem.
>
> childrens's/youth program (general)
>
> The table is called stream and the field I'm trying to insert into is
> called genre and it's a varchar(200) collation utf_general_ci
>
> This is the command I'm using
>
> mysql_query(INSERT INTO stream (channel, starttime, title, description,
> genre, filename) VALUES
> ('$channel','$starttime','$title','$description','$genre','$filename'));
>
> All the other fields work OK & if I remove the ' from $genre it works OK.
Check out addslashes(), stripslashes() also look up mysql escape strings.
You are apparently not cleaning up and sanitizing your data - which
opens up you application for SQL Injection attacks.
You want to start with
$channel = addslashes($channel);
$starttime = addslashes($starttime);
even better -
$channel = addslashes($_POST['channel']);
mysql_query(INSERT INTO stream (channel, starttime, title, description,
genre, filename) VALUES
('$channel','$starttime','$title','$description','$genre','$filename'));
>
> Did think about doing a search & replace before I insert but I'd have to
> do it on the other fields as well so I'd like to be able to solve it
> another way :-)
>
> Thanks
> Brian
>
> ------------------------------------------------------------------------------------------------
>
> The views expressed here are my own and not necessarily
>
> the views of Portsmouth College
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>
More information about the K12OSN
mailing list