Brian Chivers wrote: > I'm trying to insert the text below into a mysql table but it's > complaining, I think it's the ' that's causing the problem. > > childrens's/youth program (general) > > The table is called stream and the field I'm trying to insert into is > called genre and it's a varchar(200) collation utf_general_ci > > This is the command I'm using > > mysql_query(INSERT INTO stream (channel, starttime, title, > description, genre, filename) VALUES > ('$channel','$starttime','$title','$description','$genre','$filename')); > > > All the other fields work OK & if I remove the ' from $genre it works > OK.
It sounds like you're not doing any form of input validation; you really should, otherwise you leave yourself open to all sorts of nasty attacks. > Did think about doing a search & replace before I insert but I'd have > to do it on the other fields as well so I'd like to be able to solve > it another way :-) Instead of building a query string, you can use parameterised statements. The Wikipedia article on SQL injection attacks[1] is worth reading, and contains a small example of how to achieve it with PHP/MySQL. Chris [1] http://en.wikipedia.org/wiki/SQL_injection -- Chris Smith <cj...@zepler.net>
signature.asc
Description: OpenPGP digital signature
-- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --------------------------------------------------------------