| From: | Bruce Momjian <maillist(at)candle(dot)pha(dot)pa(dot)us> |
|---|---|
| To: | dionysos(at)dionysia(dot)org |
| Cc: | daniele(at)orlandi(dot)com, pgsql-sql(at)postgreSQL(dot)org |
| Subject: | Re: [SQL] What do I need to escape in an Insert ? |
| Date: | 1998-07-31 05:01:05 |
| Message-ID: | 199807310501.BAA11175@candle.pha.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
> On Fri, 31 Jul 1998, Daniele Orlandi wrote:
> > Suppose I'm going to insert the content of a <TEXTAREA> in a
> > table. Obviously, there will be characters that could potentially
> > confuse the SQL statement. What (and how) do I need to escape the
> > data to make it acceptable for an Insert ? I currently use the
> > PHP's addlashed function, is it enought ?
>
> I'm not sure if PHP's addslashes command will take care of single
> quotes, I haven't tried it yet. I believe the proper escape for a
> single quote in SQL is to put another single quote in front of it.
> So if a person's last name is "O'Brien" it would be inserted as:
>
> INSERT INTO personel (fname,lname) VALUES ('Michael','O''Brien');
>
> So what I do is a Regular Expression Replace in PHP, like this:
>
> $lname = ereg_replace("'", "''", $lname);
But this does not handle backslashes in the string. I think the PHP
function does both.
--
Bruce Momjian | 830 Blythe Avenue
maillist(at)candle(dot)pha(dot)pa(dot)us | Drexel Hill, Pennsylvania 19026
+ If your life is a hard drive, | (610) 353-9879(w)
+ Christ can be your backup. | (610) 853-3000(h)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | . . | 1998-07-31 06:40:10 | sample database file |
| Previous Message | Dan Delaney | 1998-07-31 04:42:46 | Re: [SQL] What do I need to escape in an Insert ? |