Problems in query with Apostrophe

buzeyga

Im not sure if this is a stupid question or not..but here we go.

When a user performs a search / post data / etc. through a site im in the process of building and includes a ' it breaks the MSSQL query. I can see the reason this is happening but looking for a solution.

For instance:

$theirinput1 = O'Neil breaks it in a query like:

query = "insert into testtable (data1, data2) VALUES('$theirinput', $theirinput2)"

any suggestions?

Thanx!

sid

query = "insert into testtable (data1, data2) VALUES('" . [man]addslashes/man . "', $theirinput2);";

when retrieving the data use [man]stripslashes()[/man]

buzeyga

have this:

$query1 = "select product from inventory where product like '%".addslashes($searchkey)."%'";

With the addslashes / stripslashes i am still getting the same problem:

Warning: mssql_query(): message: Line 1: Incorrect syntax near 't'. (severity 15) in c:\inetpub\bla\search.php on line 199

Warning: mssql_query(): message: Unclosed quotation mark before the character string ''. (severity 15) in c:\inetpub\bla\search.php on line 199

Warning: mssql_query(): Query failed in c:\inetpub\blablabla\search.php on line 199

mtimdog

Interesting, if you typed in t as the search word, the error should have said '%t%' instead of 't'

Anyway, post more of your code so we can understand a little more.

Also, you should use globals to reference $search unless you've already defined it as
$search=$POST(or $GET)['search'];

sid

is % a wildcard in mssql as well? im not familiar with mssql at all - i just assumed it would be the same as in mysql.

goldbug

try instead replacing the apostrophes ( ' ) with double apostrophes ( '' ) <not quotes>.

If magic_quotes_gpc is on, consider turning on magic_quotes_sybase as well.