subject:"certain content is causing an error with INSERT \- please help"

Re: certain content is causing an error with INSERT - please help

2005-02-13 Thread Frank Busch

Hi leegold,

I don't know what mysql_real_escape_string would do, because it isn't a
standard-php-function. So I don't regard it and talk about the basics.

In fact you have a string delimiter in Librarian's Edition so you have to
escape it to make MySQL know where the string really ends.

 

There are two possibilities:

1. Double the quote to Librarian''s Edition with
$descrip_field=str_replace(','',$$descrip_field);

2. Use addslashes (as you described) to create Librarian\'s Edition. 

 

Both ways work. The disadvantage of the second one is, that you might get
back a Librarian\'s Edition when you select from the database. In that
case you can't decide whether the user wanted that content or it occurred
because of escaping. Therefore I would always recommend the first way and
never(!) trust on any automatic escaping PHP would do for you.

By the way... you might get more probs when you have backslashes in you
strings. You should double them, too.

 

Frank

 

 I fixed it. But I'm not clear on why. The following code ie. taking 

 the content and blatently putting the content through addslashes():

 

 $descrip_field=addslashes($descrip_field);

 

 Fixed it. But the code:

 

 if (!get_magic_quotes_gpc()) {

$descrip_field = mysql_real_escape_string($descrip_field);

 }

 

 Did *not* fix it. So, to simplify this. Why would addslashes work and 

 the other code (which I see often as a recommend way to escape) not 

 work? This is a PHP question I suppose but I wanted to end the thread.

 Sorry if I did not supply enough info up front for you to support.

AW: certain content is causing an error with INSERT - please help

2005-02-13 Thread Frank Busch

OK, I use an older version of PHP where mysql_real_esacpe_strings isn't
avail. But nevertheless I would always prefer double-quoting with
  $descrip_field=str_replace(','',$$descrip_field);
This is because I got lot's of Problems with different languages on
different databases when you try to make things easy of trust on automatism.
This always works. 
Put all the checks and escapes into a function and call it instead of
mysql_real_escape_string... Then everything will be fine.

Frank Busch

...

leegold wrote:

 I'm ripping hair out, here's the problem...I'm trying to insert content
 cited below into a field and it's causing this error, ie. there's
 content i just cannot insert into the DB an it's causing the following
 error message:
 
 You have an error in your SQL syntax; check the manual that corresponds
 to your MySQL server version for the right syntax to use near 's
 Edition).
 
 Here's the content that will not insert:
 
 iHow to Get It: A Guide to Defense - Related Information Resources/i 
  (DTIC, 2002; Librarian's Edition). A reference published by the Defense
  Technical Information Service. The inspiration for this document.

Without special treatment the single quote (apostrophe) in Librarian's 
terminates the string, leaving the rest as nonsense SQL.

 I'm using PHP so I run the code below (note I think magic quotes might
 be enabled on my server so the mysql_real_escape_string in the code
 below might never be runned) but in any event it is escaped with:
 
 if (!get_magic_quotes_gpc()) {
$descrip_field = mysql_real_escape_string($descrip_field);
 }

The gpc stands for Get/Post/Cookie.  I'd guess that $descrip_field didn't 
come directly from a Get, Post, or Cookie, so magic_quotes didn't affect it.

  In that case, you have to escape it by hand with mysql_real_escape_string,

but you don't do that because magic_quotes_gpc is on.  I think this is a 
good example of why magic_quotes is a bad idea.  Better to turn it off and 
then *always* process your strings.

 I do the same escape for the title field tooThen futher down in the
 code actual INSERT code is:
 
 mysql_query(INSERT INTO howto.page (title, descrip) VALUES
 ('$title_field', '$descrip_field'))
 or die (Can't connect because .mysql_error());
 $page_id1 = mysql_insert_id();
 if ($page_id1 == '0' ) { die ('died : page_id1=0'); }
 

It is good that you are checking for errors and printing them when you get 
them, but often the error comes from the SQL statement not being what you 
think it is (as happened here, I think).  You would stand a better chance of

catching that if you included the actual SQL in the error message.  I would 
use something like

   $query = INSERT INTO howto.page (title, descrip)
 VALUES ('$title_field', '$descrip_field');
   mysql_query($query) or die (Query: .$query.\n failed with error: 
   .mysql_error().\n);

That way, you see the actual query that was sent, as well as the error from 
mysql.

 What's wrong??? It inserts for everything else OK, but just won't insert
 when i try with the content i cited?
 
 Thanks,
 Lee G.

Then leegold also wrote:
  I fixed it. But I'm not clear on why. The following code ie. taking the
  content and blatantly putting the content through addslashes():
 
  $descrip_field=addslashes($descrip_field);
 
  Fixed it. But the code:
 
  if (!get_magic_quotes_gpc()) {
 $descrip_field = mysql_real_escape_string($descrip_field);
  }

As I said, turn off magic_quotes, then use

   $descrip_field = mysql_real_escape_string($descrip_field);

  Did *not* fix it. So, to simplify this. Why would addslashes work and
  the other code (which I see often as a recommended way to escape) not
  work? This is a PHP question I suppose but I wanted to end the thread.
  Sorry if I did not supply enough info up front for you to support.

mysql_real_escape_string() should work.  The problem is that it wasn't being

called when it needed to be.

See http://us2.php.net/manual/en/function.mysql-real-escape-string.php and

http://us2.php.net/manual/en/function.get-magic-quotes-gpc.php.

Michael


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]




-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

certain content is causing an error with INSERT - please help

2005-02-12 Thread leegold

I'm ripping hair out, here's the problem...I'm trying to insert content
cited below into a field and it's causing this error, ie. there's
content i just cannot insert into the DB an it's causing the following
error message:

You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near 's
Edition).

Here's the content that will not insert:

iHow to Get It: A Guide to Defense - Related Information Resources/i 
 (DTIC, 2002; Librarian's Edition). A reference published by the Defense
 Technical Information Service. The inspiration for this document.

I'm using PHP so I run the code below (note I think magic quotes might
be enabled on my server so the mysql_real_escape_string in the code
below might never be runned) but in any event it is escaped with:

if (!get_magic_quotes_gpc()) {
   $descrip_field = mysql_real_escape_string($descrip_field);
}


I do the same escape for the title field tooThen futher down in the
code actual INSERT code is:

mysql_query(INSERT INTO howto.page (title, descrip) VALUES
('$title_field', '$descrip_field'))
or die (Can't connect because .mysql_error());
$page_id1 = mysql_insert_id();
if ($page_id1 == '0' ) { die ('died : page_id1=0'); }


What's wrong??? It inserts for everything else OK, but just won't insert
when i try with the content i cited?

Thanks,
Lee G.



-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: certain content is causing an error with INSERT - please help

2005-02-12 Thread Michael Stassen

leegold wrote:
I'm ripping hair out, here's the problem...I'm trying to insert content
cited below into a field and it's causing this error, ie. there's
content i just cannot insert into the DB an it's causing the following
error message:
You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near 's
Edition).
Here's the content that will not insert:
iHow to Get It: A Guide to Defense - Related Information Resources/i 
 (DTIC, 2002; Librarian's Edition). A reference published by the Defense
 Technical Information Service. The inspiration for this document.
Without special treatment the single quote (apostrophe) in Librarian's 
terminates the string, leaving the rest as nonsense SQL.

I'm using PHP so I run the code below (note I think magic quotes might
be enabled on my server so the mysql_real_escape_string in the code
below might never be runned) but in any event it is escaped with:
if (!get_magic_quotes_gpc()) {
   $descrip_field = mysql_real_escape_string($descrip_field);
}
The gpc stands for Get/Post/Cookie.  I'd guess that $descrip_field didn't 
come directly from a Get, Post, or Cookie, so magic_quotes didn't affect it. 
 In that case, you have to escape it by hand with mysql_real_escape_string, 
but you don't do that because magic_quotes_gpc is on.  I think this is a 
good example of why magic_quotes is a bad idea.  Better to turn it off and 
then *always* process your strings.

I do the same escape for the title field tooThen futher down in the
code actual INSERT code is:
mysql_query(INSERT INTO howto.page (title, descrip) VALUES
('$title_field', '$descrip_field'))
or die (Can't connect because .mysql_error());
$page_id1 = mysql_insert_id();
if ($page_id1 == '0' ) { die ('died : page_id1=0'); }

It is good that you are checking for errors and printing them when you get 
them, but often the error comes from the SQL statement not being what you 
think it is (as happened here, I think).  You would stand a better chance of 
catching that if you included the actual SQL in the error message.  I would 
use something like

  $query = INSERT INTO howto.page (title, descrip)
VALUES ('$title_field', '$descrip_field');
  mysql_query($query) or die (Query: .$query.\n failed with error: 
  .mysql_error().\n);
That way, you see the actual query that was sent, as well as the error from 
mysql.

What's wrong??? It inserts for everything else OK, but just won't insert
when i try with the content i cited?
Thanks,
Lee G.
Then leegold also wrote:
 I fixed it. But I'm not clear on why. The following code ie. taking the
 content and blatantly putting the content through addslashes():

 $descrip_field=addslashes($descrip_field);

 Fixed it. But the code:

 if (!get_magic_quotes_gpc()) {
$descrip_field = mysql_real_escape_string($descrip_field);
 }
As I said, turn off magic_quotes, then use
  $descrip_field = mysql_real_escape_string($descrip_field);
 Did *not* fix it. So, to simplify this. Why would addslashes work and
 the other code (which I see often as a recommended way to escape) not
 work? This is a PHP question I suppose but I wanted to end the thread.
 Sorry if I did not supply enough info up front for you to support.
mysql_real_escape_string() should work.  The problem is that it wasn't being 
called when it needed to be.

See http://us2.php.net/manual/en/function.mysql-real-escape-string.php and 
http://us2.php.net/manual/en/function.get-magic-quotes-gpc.php.

Michael
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: certain content is causing an error with INSERT - please help

AW: certain content is causing an error with INSERT - please help

certain content is causing an error with INSERT - please help

Re: certain content is causing an error with INSERT - please help

4 matches

Site Navigation

Mail list logo

Footer information