OK, I use an older version of PHP where mysql_real_esacpe_strings isn't
avail. But nevertheless I would always prefer double-quoting with
$descrip_field=str_replace("'","''",$$descrip_field);
This is because I got lot's of Problems with different languages on
different databases when you try to make things easy of trust on automatism.
This always works.
Put all the checks and escapes into a function and call it instead of
mysql_real_escape_string... Then everything will be fine.
Frank Busch
.......
leegold wrote:
> I'm ripping hair out, here's the problem...I'm trying to insert content
> cited below into a field and it's causing this error, ie. there's
> content i just cannot insert into the DB an it's causing the following
> error message:
>
> "You have an error in your SQL syntax; check the manual that corresponds
> to your MySQL server version for the right syntax to use near 's
> Edition)."
>
> Here's the content that will not insert:
>
> <i>How to Get It: A Guide to Defense - Related Information Resources</i>
> (DTIC, 2002; Librarian's Edition). A reference published by the Defense
> Technical Information Service. The inspiration for this document.
Without special treatment the single quote (apostrophe) in "Librarian's"
terminates the string, leaving the rest as nonsense SQL.
> I'm using PHP so I run the code below (note I think magic quotes might
> be enabled on my server so the "mysql_real_escape_string" in the code
> below might never be runned) but in any event it is escaped with:
>
> if (!get_magic_quotes_gpc()) {
> $descrip_field = mysql_real_escape_string($descrip_field);
> }
The "gpc" stands for Get/Post/Cookie. I'd guess that $descrip_field didn't
come directly from a Get, Post, or Cookie, so magic_quotes didn't affect it.
In that case, you have to escape it by hand with mysql_real_escape_string,
but you don't do that because magic_quotes_gpc is on. I think this is a
good example of why magic_quotes is a bad idea. Better to turn it off and
then *always* process your strings.
> I do the same escape for the title field too....Then futher down in the
> code actual INSERT code is:
>
> mysql_query("INSERT INTO howto.page (title, descrip) VALUES
> ('$title_field', '$descrip_field')")
> or die ("Can't connect because ".mysql_error());
> $page_id1 = mysql_insert_id();
> if ($page_id1 == '0' ) { die ('died : page_id1=0'); }
> ....
It is good that you are checking for errors and printing them when you get
them, but often the error comes from the SQL statement not being what you
think it is (as happened here, I think). You would stand a better chance of
catching that if you included the actual SQL in the error message. I would
use something like
$query = "INSERT INTO howto.page (title, descrip)
VALUES ('$title_field', '$descrip_field')";
mysql_query($query) or die ("Query: ".$query."\n failed with error: "
.mysql_error()."\n");
That way, you see the actual query that was sent, as well as the error from
mysql.
> What's wrong??? It inserts for everything else OK, but just won't insert
> when i try with the content i cited?
>
> Thanks,
> Lee G.
Then leegold also wrote:
> I fixed it. But I'm not clear on why. The following code ie. taking the
> content and blatantly putting the content through addslashes():
>
> $descrip_field=addslashes($descrip_field);
>
> Fixed it. But the code:
>
> if (!get_magic_quotes_gpc()) {
> $descrip_field = mysql_real_escape_string($descrip_field);
> }
As I said, turn off magic_quotes, then use
$descrip_field = mysql_real_escape_string($descrip_field);
> Did *not* fix it. So, to simplify this. Why would addslashes work and
> the other code (which I see often as a "recommended" way to escape) not
> work? This is a PHP question I suppose but I wanted to end the thread.
> Sorry if I did not supply enough info up front for you to support.
mysql_real_escape_string() should work. The problem is that it wasn't being
called when it needed to be.
See <http://us2.php.net/manual/en/function.mysql-real-escape-string.php> and
<http://us2.php.net/manual/en/function.get-magic-quotes-gpc.php>.
Michael
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
