Hi Eugene,
Yes, this worked great. I just find it hard to believe that it's all
necessary.
Without using sqlite_escape_string, single quotes cause "SQL Logic or
missing database" errors. So I'm forced to use that function on variables
set via a form.
But then to avoid the "backslash in the data" problem, I need to use
stripslashes on the variables I'm about to write to the database.
But just in case a user has magic_quotes_gpc set off, I need to test that
function and then decide whether to use stripslashes() or not.
Problem solved, but the solution is kind of, well, "icky". I love the idea
of a RDBMS that doesn't require a daemon. And I love PHP. They're both so
convenient. But the difficulty of programming with the two taken together
is more than the sum of the "difficultness" of the two individually. :(
Thanks!
Pete
On Thu 17 Mar 05, 1:58 PM, Eugene Wee <[EMAIL PROTECTED]> said:
> Hi,
>
> I think the reason is that sqlite_escape_string() doubles single quotes
> to escape them.
> However, you have magic_quotes_gpc set to 1 in php.ini
> As such, incoming variables are escaped using backslashes.
>
> A solution is to use stripslashes() on the incoming variables if
> get_magic_quotes_gpc() returns 1, since you cant change magic_quotes_gpc
> at runtime.
> Alternatively, you can alter php.ini, but that's usually not practical.
>
> Eugene Wee
>
> Peter Jay Salzman wrote:
> >I've nearly completed converting Wheatblog to sqlite. It's been quite a
> >learning experience! I've come across a problem I haven't been able to
> >figure out, though.
> >
> >Whenever I made a blog post that had a forward quote character (') in
> >either
> >the title or the body of the post, I'd get an error.
> >
> >After a little Googling, I changed my query to:
> >
> >
> > $query = "INSERT INTO $database_table
> > (id, day, month, date, year, category, title, body, showpref)
> > VALUES (null,
> > '" . sqlite_escape_string($_POST['the_day']) . "',
> > '" . sqlite_escape_string($_POST['the_month']) . "',
> > '" . sqlite_escape_string($_POST['the_date']) . "',
> > '" . sqlite_escape_string($_POST['the_year']) . "',
> > '" . sqlite_escape_string($_POST['the_category']) . "',
> > '" . sqlite_escape_string($_POST['the_title']) . "',
> > '" . sqlite_escape_string($_POST['the_body']) . "',
> > '" . sqlite_escape_string($_POST['the_showpref']) . "')";
> >
> > DB_query($query, $db);
> >
> >and the definition of DB_query is:
> >
> >
> > function DB_query($cmd, $db)
> > {
> > $retval = sqlite_query($db, "$cmd")
> > or die('Query Error: ' .
> > sqlite_error_string(sqlite_last_error($db)));
> >
> > return $retval;
> > }
> >
> >This works in the sense that forward quotes no longer generate an error.
> >However, whenever I print out a blog post, the forward quotes are all
> >escaped. So if I post:
> >
> > This contains a ' character.
> >
> >The post, when printed looks like:
> >
> > This contains a \' character.
> >
> >What's the proper way to ensure that ' characters are properly quoted but
> >don't show up in the output?
> >
> >Thanks!
> >Pete
> >
>
--
Save Star Trek Enterprise from extinction: http://www.saveenterprise.com
GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D
