insert into test values (0,''; DELETE FROM test; ',1);
ERROR 1064: You have an error in your SQL syntax near '' at line 1
what about
insert into test values (0,'\'; DELETE FROM test; ',1);
the character ' is used to denote the beginning and the end of a
field value. If you have this
]
-Original Message-
From: Chris Worth [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 01, 2001 12:36 PM
To:[EMAIL PROTECTED]
Subject: [PHP] SQL syntax error in PHP script. dunno what's wrong
hey gang.
here is my sql statement from my php script.
$sql = UPDATE TABLE
] [SMTP:[EMAIL PROTECTED]]
Sent: 01 August 2001 18:03
To: php
Subject: RE: [PHP] SQL syntax error in PHP script. dunno what's
wrong
no offense to you sam, but please dont ever simply place
single quotes around values. you have to escape the values
To: php
Subject: RE: [PHP] SQL syntax error in PHP script. dunno what's
wrong
no offense to you sam, but please dont ever simply place
single quotes around values. you have to escape the values
*themselves*.
what if someone submitted the form field title as:
$title = '; DELETE FROM
on 8/1/01 11:35 AM, Chris Worth at [EMAIL PROTECTED] wrote:
hey gang.
here is my sql statement from my php script.
$sql = UPDATE TABLE seminar SET
title=$title,speaker=$speaker,event_date=$tdate,time=$time,bldg=$building
,rm=$room WHERE id=$id;
strings in a mysql query need to
]
Subject:[PHP] SQL syntax error in PHP script. dunno what's wrong
hey gang.
here is my sql statement from my php script.
$sql = UPDATE TABLE seminar SET
title=$title,speaker=$speaker,event_date=$tdate,time=$time,bldg=$building
,rm=$room WHERE id=$id;
it appears just like that in my
your own with relative ease:
function db_quote($value) {
return '. preg_replace(/'/, '', $value) .'
}
-Original Message-
From: Matt Greer [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 01, 2001 12:45 PM
To: [EMAIL PROTECTED]
Subject: Re: [PHP] SQL syntax error in PHP script. dunno
]]
Subject: RE: [PHP] SQL syntax error in PHP script. dunno what's wrong
You will need to put single quotes around your variables in your SQL
statement. Like this:
$sql = UPDATE TABLE seminar SET
title='$title',speaker='$speaker',event_date='$tdate',time='$time',bldg='$bu
ilding'
,rm
8 matches
Mail list logo