Brian Chivers wrote:
> I'm trying to insert the text below into a mysql table but it's
> complaining, I think it's the ' that's causing the problem.
>
> childrens's/youth program (general)
>
> The table is called stream and the field I'm trying to insert into is
> called genre and it's a varchar(200) collation utf_general_ci
>
> This is the command I'm using
>
> mysql_query(INSERT INTO stream (channel, starttime, title,
> description, genre, filename) VALUES
> ('$channel','$starttime','$title','$description','$genre','$filename'));
>
>
> All the other fields work OK & if I remove the ' from $genre it works
> OK.It sounds like you're not doing any form of input validation; you really should, otherwise you leave yourself open to all sorts of nasty attacks. > Did think about doing a search & replace before I insert but I'd have > to do it on the other fields as well so I'd like to be able to solve > it another way :-) Instead of building a query string, you can use parameterised statements. The Wikipedia article on SQL injection attacks[1] is worth reading, and contains a small example of how to achieve it with PHP/MySQL. Chris [1] http://en.wikipedia.org/wiki/SQL_injection -- Chris Smith <cj...@zepler.net>
signature.asc
Description: OpenPGP digital signature
-- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --------------------------------------------------------------
