Nestor,
You would do better to use prepared statements.
When a parameter is substituted into the prepared statement it is
automatically quoted -- and you are protected from SQL Injection
attacks. The reason your script is failing is that the single quote in
$field is being interpreted as the SQL statement's closing single quote
in MySQL. Thus, data in $field is being treated as potential SQL code.
Very dangerous.
In your example, if someone is able to insert ');update user set
password=PASSWORD('cracked into $field you're in trouble. That's a
simple but poor example of what can be done. People intent on breaking
your system don't need to know what your schema is to do you harm.
Prepared statements and parameter substitution is a function of your
language's DB library, so you need to find out how your language does this.
HTH,
Robert J Taylor.
There's an article at MySQL.com on Prepared Statements for more reading:
http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html
Nestor Florez wrote:
Hello world,
I am passing a a string Joe's car as part of the SQL query to be inserted
to a String field.
$field=Joe's car;
$query=insert into mytable values('$field');
Do you generally change the quote to a double quote before inserting
or what is the recomended way, because otherwise the quote will
terminate the query statement.
Thanks,
:-)
Néstor Alberto Flórez Torres
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
