Re: certain content is causing an error with INSERT - please help
Hi leegold, I don't know what mysql_real_escape_string would do, because it isn't a standard-php-function. So I don't regard it and talk about the basics. In fact you have a string delimiter in Librarian's Edition so you have to escape it to make MySQL know where the string really ends. There are two possibilities: 1. Double the quote to Librarian''s Edition with $descrip_field=str_replace(','',$$descrip_field); 2. Use addslashes (as you described) to create Librarian\'s Edition. Both ways work. The disadvantage of the second one is, that you might get back a Librarian\'s Edition when you select from the database. In that case you can't decide whether the user wanted that content or it occurred because of escaping. Therefore I would always recommend the first way and never(!) trust on any automatic escaping PHP would do for you. By the way... you might get more probs when you have backslashes in you strings. You should double them, too. Frank I fixed it. But I'm not clear on why. The following code ie. taking the content and blatently putting the content through addslashes(): $descrip_field=addslashes($descrip_field); Fixed it. But the code: if (!get_magic_quotes_gpc()) { $descrip_field = mysql_real_escape_string($descrip_field); } Did *not* fix it. So, to simplify this. Why would addslashes work and the other code (which I see often as a recommend way to escape) not work? This is a PHP question I suppose but I wanted to end the thread. Sorry if I did not supply enough info up front for you to support.
AW: certain content is causing an error with INSERT - please help
OK, I use an older version of PHP where mysql_real_esacpe_strings isn't avail. But nevertheless I would always prefer double-quoting with $descrip_field=str_replace(','',$$descrip_field); This is because I got lot's of Problems with different languages on different databases when you try to make things easy of trust on automatism. This always works. Put all the checks and escapes into a function and call it instead of mysql_real_escape_string... Then everything will be fine. Frank Busch ... leegold wrote: I'm ripping hair out, here's the problem...I'm trying to insert content cited below into a field and it's causing this error, ie. there's content i just cannot insert into the DB an it's causing the following error message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Edition). Here's the content that will not insert: iHow to Get It: A Guide to Defense - Related Information Resources/i (DTIC, 2002; Librarian's Edition). A reference published by the Defense Technical Information Service. The inspiration for this document. Without special treatment the single quote (apostrophe) in Librarian's terminates the string, leaving the rest as nonsense SQL. I'm using PHP so I run the code below (note I think magic quotes might be enabled on my server so the mysql_real_escape_string in the code below might never be runned) but in any event it is escaped with: if (!get_magic_quotes_gpc()) { $descrip_field = mysql_real_escape_string($descrip_field); } The gpc stands for Get/Post/Cookie. I'd guess that $descrip_field didn't come directly from a Get, Post, or Cookie, so magic_quotes didn't affect it. In that case, you have to escape it by hand with mysql_real_escape_string, but you don't do that because magic_quotes_gpc is on. I think this is a good example of why magic_quotes is a bad idea. Better to turn it off and then *always* process your strings. I do the same escape for the title field tooThen futher down in the code actual INSERT code is: mysql_query(INSERT INTO howto.page (title, descrip) VALUES ('$title_field', '$descrip_field')) or die (Can't connect because .mysql_error()); $page_id1 = mysql_insert_id(); if ($page_id1 == '0' ) { die ('died : page_id1=0'); } It is good that you are checking for errors and printing them when you get them, but often the error comes from the SQL statement not being what you think it is (as happened here, I think). You would stand a better chance of catching that if you included the actual SQL in the error message. I would use something like $query = INSERT INTO howto.page (title, descrip) VALUES ('$title_field', '$descrip_field'); mysql_query($query) or die (Query: .$query.\n failed with error: .mysql_error().\n); That way, you see the actual query that was sent, as well as the error from mysql. What's wrong??? It inserts for everything else OK, but just won't insert when i try with the content i cited? Thanks, Lee G. Then leegold also wrote: I fixed it. But I'm not clear on why. The following code ie. taking the content and blatantly putting the content through addslashes(): $descrip_field=addslashes($descrip_field); Fixed it. But the code: if (!get_magic_quotes_gpc()) { $descrip_field = mysql_real_escape_string($descrip_field); } As I said, turn off magic_quotes, then use $descrip_field = mysql_real_escape_string($descrip_field); Did *not* fix it. So, to simplify this. Why would addslashes work and the other code (which I see often as a recommended way to escape) not work? This is a PHP question I suppose but I wanted to end the thread. Sorry if I did not supply enough info up front for you to support. mysql_real_escape_string() should work. The problem is that it wasn't being called when it needed to be. See http://us2.php.net/manual/en/function.mysql-real-escape-string.php and http://us2.php.net/manual/en/function.get-magic-quotes-gpc.php. Michael -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
certain content is causing an error with INSERT - please help
I'm ripping hair out, here's the problem...I'm trying to insert content cited below into a field and it's causing this error, ie. there's content i just cannot insert into the DB an it's causing the following error message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Edition). Here's the content that will not insert: iHow to Get It: A Guide to Defense - Related Information Resources/i (DTIC, 2002; Librarian's Edition). A reference published by the Defense Technical Information Service. The inspiration for this document. I'm using PHP so I run the code below (note I think magic quotes might be enabled on my server so the mysql_real_escape_string in the code below might never be runned) but in any event it is escaped with: if (!get_magic_quotes_gpc()) { $descrip_field = mysql_real_escape_string($descrip_field); } I do the same escape for the title field tooThen futher down in the code actual INSERT code is: mysql_query(INSERT INTO howto.page (title, descrip) VALUES ('$title_field', '$descrip_field')) or die (Can't connect because .mysql_error()); $page_id1 = mysql_insert_id(); if ($page_id1 == '0' ) { die ('died : page_id1=0'); } What's wrong??? It inserts for everything else OK, but just won't insert when i try with the content i cited? Thanks, Lee G. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: certain content is causing an error with INSERT - please help
leegold wrote: I'm ripping hair out, here's the problem...I'm trying to insert content cited below into a field and it's causing this error, ie. there's content i just cannot insert into the DB an it's causing the following error message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Edition). Here's the content that will not insert: iHow to Get It: A Guide to Defense - Related Information Resources/i (DTIC, 2002; Librarian's Edition). A reference published by the Defense Technical Information Service. The inspiration for this document. Without special treatment the single quote (apostrophe) in Librarian's terminates the string, leaving the rest as nonsense SQL. I'm using PHP so I run the code below (note I think magic quotes might be enabled on my server so the mysql_real_escape_string in the code below might never be runned) but in any event it is escaped with: if (!get_magic_quotes_gpc()) { $descrip_field = mysql_real_escape_string($descrip_field); } The gpc stands for Get/Post/Cookie. I'd guess that $descrip_field didn't come directly from a Get, Post, or Cookie, so magic_quotes didn't affect it. In that case, you have to escape it by hand with mysql_real_escape_string, but you don't do that because magic_quotes_gpc is on. I think this is a good example of why magic_quotes is a bad idea. Better to turn it off and then *always* process your strings. I do the same escape for the title field tooThen futher down in the code actual INSERT code is: mysql_query(INSERT INTO howto.page (title, descrip) VALUES ('$title_field', '$descrip_field')) or die (Can't connect because .mysql_error()); $page_id1 = mysql_insert_id(); if ($page_id1 == '0' ) { die ('died : page_id1=0'); } It is good that you are checking for errors and printing them when you get them, but often the error comes from the SQL statement not being what you think it is (as happened here, I think). You would stand a better chance of catching that if you included the actual SQL in the error message. I would use something like $query = INSERT INTO howto.page (title, descrip) VALUES ('$title_field', '$descrip_field'); mysql_query($query) or die (Query: .$query.\n failed with error: .mysql_error().\n); That way, you see the actual query that was sent, as well as the error from mysql. What's wrong??? It inserts for everything else OK, but just won't insert when i try with the content i cited? Thanks, Lee G. Then leegold also wrote: I fixed it. But I'm not clear on why. The following code ie. taking the content and blatantly putting the content through addslashes(): $descrip_field=addslashes($descrip_field); Fixed it. But the code: if (!get_magic_quotes_gpc()) { $descrip_field = mysql_real_escape_string($descrip_field); } As I said, turn off magic_quotes, then use $descrip_field = mysql_real_escape_string($descrip_field); Did *not* fix it. So, to simplify this. Why would addslashes work and the other code (which I see often as a recommended way to escape) not work? This is a PHP question I suppose but I wanted to end the thread. Sorry if I did not supply enough info up front for you to support. mysql_real_escape_string() should work. The problem is that it wasn't being called when it needed to be. See http://us2.php.net/manual/en/function.mysql-real-escape-string.php and http://us2.php.net/manual/en/function.get-magic-quotes-gpc.php. Michael -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]