Hi Eugene, Yes, this worked great. I just find it hard to believe that it's all necessary.
Without using sqlite_escape_string, single quotes cause "SQL Logic or missing database" errors. So I'm forced to use that function on variables set via a form. But then to avoid the "backslash in the data" problem, I need to use stripslashes on the variables I'm about to write to the database. But just in case a user has magic_quotes_gpc set off, I need to test that function and then decide whether to use stripslashes() or not. Problem solved, but the solution is kind of, well, "icky". I love the idea of a RDBMS that doesn't require a daemon. And I love PHP. They're both so convenient. But the difficulty of programming with the two taken together is more than the sum of the "difficultness" of the two individually. :( Thanks! Pete On Thu 17 Mar 05, 1:58 PM, Eugene Wee <[EMAIL PROTECTED]> said: > Hi, > > I think the reason is that sqlite_escape_string() doubles single quotes > to escape them. > However, you have magic_quotes_gpc set to 1 in php.ini > As such, incoming variables are escaped using backslashes. > > A solution is to use stripslashes() on the incoming variables if > get_magic_quotes_gpc() returns 1, since you cant change magic_quotes_gpc > at runtime. > Alternatively, you can alter php.ini, but that's usually not practical. > > Eugene Wee > > Peter Jay Salzman wrote: > >I've nearly completed converting Wheatblog to sqlite. It's been quite a > >learning experience! I've come across a problem I haven't been able to > >figure out, though. > > > >Whenever I made a blog post that had a forward quote character (') in > >either > >the title or the body of the post, I'd get an error. > > > >After a little Googling, I changed my query to: > > > > > > $query = "INSERT INTO $database_table > > (id, day, month, date, year, category, title, body, showpref) > > VALUES (null, > > '" . sqlite_escape_string($_POST['the_day']) . "', > > '" . sqlite_escape_string($_POST['the_month']) . "', > > '" . sqlite_escape_string($_POST['the_date']) . "', > > '" . sqlite_escape_string($_POST['the_year']) . "', > > '" . sqlite_escape_string($_POST['the_category']) . "', > > '" . sqlite_escape_string($_POST['the_title']) . "', > > '" . sqlite_escape_string($_POST['the_body']) . "', > > '" . sqlite_escape_string($_POST['the_showpref']) . "')"; > > > > DB_query($query, $db); > > > >and the definition of DB_query is: > > > > > > function DB_query($cmd, $db) > > { > > $retval = sqlite_query($db, "$cmd") > > or die('Query Error: ' . > > sqlite_error_string(sqlite_last_error($db))); > > > > return $retval; > > } > > > >This works in the sense that forward quotes no longer generate an error. > >However, whenever I print out a blog post, the forward quotes are all > >escaped. So if I post: > > > > This contains a ' character. > > > >The post, when printed looks like: > > > > This contains a \' character. > > > >What's the proper way to ensure that ' characters are properly quoted but > >don't show up in the output? > > > >Thanks! > >Pete > > > -- Save Star Trek Enterprise from extinction: http://www.saveenterprise.com GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D