They're escaped with backslashes. Weird thing is, I did make a Javascript functions that converts every character to Unicode hex values preceded by %, but for some magical reason, when I use rawurldecode on the string, the apostrophes are still escaped! At the moment, this is beyond my grasp, but I'll have to look over my code tomorrow and see how that can be...
"David Otton" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > On Tue, 17 Jun 2003 17:00:26 +0200, you wrote: > > >I'm embedding an SQL query constructed in Javascript to an URL and opening > >it in PHP where I try to execute it. > > I can't believe anyone hasn't jumped on this yet :) > > Please be very, very careful. There's a big big hole there. > > >Problem is, the string arrives garbled, with all the apostrophes escaped. > > Escaped how, exactly? With backslashes? Doubled apostrophes? > > The obvious thing would be a > > $query = str_replace("''", "'", $query); > > But again, please reconsider what you're doing - it sounds like you're > trusting the client way too much. If you go ahead, ask on a > database-specific mailing list about the holes you need to plug. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
