Single quotes in text-input

Anon

Hi,

playing around with a database-system and PHP, I wanted to design a web-page that let's me enter SQL commands in a form, submit them and have them executed by the database (private LAN => no security concerns).
Works all fine - as long as I don't want to do anything with text-strings in the database.
For example, if I enter

SELECT * FROM table WHERE name = 'foo';

and post it then PHP turns that string into

SELECT * FROM table WHERE name = \'foo\';

which is something my database system can not digest, so I get

parse error at or near "\"

Any clues? All help is appreciated!

With warm greetings from cold Berchtesgaden, Germany,

Tobi

P.S.: I know I talk a lot about SQL and database, but the actual problem seems to be more a normal coding thing, so I hope this is the right place to ask...

Anon

you might want to try addslashes();

ex: $sql = "SELECT * FROM table WHERE name = 'foo'";
$sql = addslashes($sql);
echo $sql; // this will let you see how php will parse the resulting text string.

You could then use stripslashes(); when returning the resulting text string from the database if you need to use the original sql statement (without the added slashes).

hope this helps.

Anon

Hi Ralph,

thank you very much. Your hint helped me, though it was quite the other way around:

My problem was to get the string in the right shape for database-input, i.e. without additional slashes.

So, I had to make it

$sql = "SELECT * FROM table WHERE name = 'foo'";
$sql = stripslasches($sql);
$result = p_exec($db_connection,$sql);

... and it worked :-)

Live,
Love,
Laugh