Re: Passing single quote within a query

2004-12-09 Thread Steve Davies
backslash escape the quote:
$field=Joe\'s car;
or if you're using PHP you can turn this on automatically
HTH
Steve

Nestor Florez wrote:
Hello world,
I am passing a a string Joe's car as part of the SQL query to be inserted
to a String field.  

$field=Joe's car;
$query=insert into mytable values('$field');
Do you generally change the quote to a double quote before inserting
or what is the recomended way, because otherwise the quote will
terminate the query statement.
Thanks,
:-)
Néstor Alberto Flórez Torres

 


--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]


Re: Passing single quote within a query

2004-12-09 Thread Robert J Taylor
Nestor,
You would do better to use prepared statements.
When a parameter is substituted into the prepared statement it is 
automatically quoted -- and you are protected from SQL Injection 
attacks. The reason your script is failing is that the single quote in 
$field is being interpreted as the SQL statement's closing single quote 
in MySQL. Thus, data in $field is being treated as potential SQL code. 
Very dangerous.

In your example, if someone is able to insert ');update user set 
password=PASSWORD('cracked into $field you're in trouble. That's a 
simple but poor example of what can be done. People intent on breaking 
your system don't need to know what your schema is to do you harm.

Prepared statements and parameter substitution is a function of your 
language's DB library, so you need to find out how your language does this.

HTH,
Robert J Taylor.
There's an article at MySQL.com on Prepared Statements for more reading:
http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html
Nestor Florez wrote:
Hello world,
I am passing a a string Joe's car as part of the SQL query to be inserted
to a String field.  

$field=Joe's car;
$query=insert into mytable values('$field');
Do you generally change the quote to a double quote before inserting
or what is the recomended way, because otherwise the quote will
terminate the query statement.
Thanks,
:-)
Néstor Alberto Flórez Torres

 

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]