| Subject | Re: [ib-support] Insert String question: more detail |
|---|---|
| Author | Helen Borrie |
| Post date | 2002-04-24T14:01:14Z |
At 01:40 PM 24-04-02 +0000, you wrote:
before the variable goes to $sqlstring - parse the string a spit each
character out to another variable. En route, if it finds a single or
double quote, it prepends a single quote escape character to it and spits
out the 2 characters in place of the one quote character.
Or change to Delphi and use its QuotedStr() function. Or ban companies
like Pete's Emporium and O'Reilly Books and Mom's Apple Pies :-))
Helen
All for Open and Open for All
Firebird Open SQL Database · http://firebirdsql.org ·
http://users.tpg.com.au/helebor/
_______________________________________________________
>If a user enters into a form <input name="company" type='text'>Write a function that gets applied to all "apostrophe-susceptible" strings
>
>Company_name: Dave's Company
>
>A single quote is used to show ownership.
>
>The php variable $company is placed within an insert statement.
>
>$sqlstring="Insert into Customers(customer_no,company_name)values
>(gen_id(gen_customer_no,1),'$company');";
>..execute($sqlstring)
>
>This works fine as long as the user doesnt enter a single quote in
>the Company name field. How can the user enter a single quote without
>generating an error?
before the variable goes to $sqlstring - parse the string a spit each
character out to another variable. En route, if it finds a single or
double quote, it prepends a single quote escape character to it and spits
out the 2 characters in place of the one quote character.
Or change to Delphi and use its QuotedStr() function. Or ban companies
like Pete's Emporium and O'Reilly Books and Mom's Apple Pies :-))
Helen
All for Open and Open for All
Firebird Open SQL Database · http://firebirdsql.org ·
http://users.tpg.com.au/helebor/
_______________________________________________________