Addslashes problem

nylex

Hi, I have a form to add news posts to a database. It works fine unless I insert something with slashes, eg. I don't know. When I do, I get:

Warning: SQL error: [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression ''I don\\'t know ')'., SQL state 37000 in SQLExecDirect in c:\program files\apache group\apache\htdocs\nc\newsform.php on line 51
Post could not be added to database

My code:

if($Submit)
{
$Connect = odbc_connect("News", "NC", "TEST");

	$Query = "INSERT INTO News (Author, PostDate, Title, Post)";
	$Query .= "VALUES(";
	$Query .= "'" . addslashes($Author) . "', ";
	$Query .= "now(), ";
	$Query .= "'" . addslashes($Title) . "', ";
	$Query .= "'" . addslashes($Post) . "')";


		if(!(odbc_exec($Connect, $Query)))
		{
			print("Post could not be added to database");
		}
		else
		{
			print("Post added to database");
		}
}

What have I done wrong? Any help appreciated, thanx 🙂

fatbobo

This happens to me a lot too - a real pain when trying to insert to a DB. I usually run an ereg_replace just before sending any user-editable fields to a SQL statement.

Anon

Hey NC,

Don't use slashes to escape single quotes use 2 single quotes; 'i don''t know' not 'i don\'t know'.

Dave

nylex

Err ok, but what about a general case? What should I add/take out of my script? The same thing isn't gonna be entered all the time, it's gonna vary.

nylex

Could you give me an example please?