Quick Links

Re: [SQL] What do I need to escape in an Insert ?

From:	Daniele Orlandi <daniele(at)orlandi(dot)com>
To:	pgsql-sql(at)postgresql(dot)org
Subject:	Re: [SQL] What do I need to escape in an Insert ?
Date:	1998-07-31 12:26:51
Message-ID:	35C1B80B.325F111D@orlandi.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-sql

Bruce Momjian wrote:
>
> > I'm not sure if PHP's addslashes command will take care of single
> > quotes, I haven't tried it yet. I believe the proper escape for a
> > single quote in SQL is to put another single quote in front of it.
> > So if a person's last name is "O'Brien" it would be inserted as:
> >
> > INSERT INTO personel (fname,lname) VALUES ('Michael','O''Brien');
> >
> > So what I do is a Regular Expression Replace in PHP, like this:
> >
> > $lname = ereg_replace("'", "''", $lname);
>
> But this does not handle backslashes in the string. I think the PHP
> function does both.

Looking at the source of the Bug Database at php.net, I noticed that strings are
inserted as they are, without any escaping. I still don't know where and why,
but PHP seems to escape quotes and slashes by itself when working with strings.

For example, I have the following code in my page:

$Query=sprintf("INSERT INTO bugdb (email,sdescr,ldescr,version,status) VALUES (
'%s','%s','%s','%s','Open' )",$EMail,$SDescr,$LDescr,$Version);

echo $Query;

In the textarea (ltext) I put:

\\
\n
'
"
abc

And the resulting query is:

INSERT INTO bugdb (email,sdescr,ldescr,version,status) VALUES (
'daniele(at)orlandi(dot)com','Test3','\\\\ \\n \' \" abc','3.0.0','Open' )

Well, I've not yet been able to confuse PostgreSQL and everything i get from a
select is identical to what I put with the insert.

Bye!

--
Daniele

-------------------------------------------------------------------------------
Why use Windows, since there is a door?
(By fachat(at)galileo(dot)rhein-neckar(dot)de, Andre Fachat)
-------------------------------------------------------------------------------
Se telecom italia aggiungesse uno scatto al giorno ad ogni abbonato, dal
primo Gennaio avrebbe rubato 671.633.000.000 Lire.
-------------------------------------------------------------------------------
Daniele Orlandi - Utility Line Italia - http://www.orlandi.com
Via Mezzera 29/A - 20030 - Seveso (MI) - Italy
-------------------------------------------------------------------------------

In response to

Re: [SQL] What do I need to escape in an Insert ? at 1998-07-31 05:01:05 from Bruce Momjian

Browse pgsql-sql by date

	From	Date	Subject
Next Message	Roberto Joao Lopes Garcia	1998-07-31 14:04:51	Query from 2 data base
Previous Message	. .	1998-07-31 06:40:10	sample database file