Subject Re: [ib-support] Insert String question: more detail
Author Helen Borrie
At 01:40 PM 24-04-02 +0000, you wrote:
>If a user enters into a form <input name="company" type='text'>
>Company_name: Dave's Company
>A single quote is used to show ownership.
>The php variable $company is placed within an insert statement.
>$sqlstring="Insert into Customers(customer_no,company_name)values
>This works fine as long as the user doesnt enter a single quote in
>the Company name field. How can the user enter a single quote without
>generating an error?

Write a function that gets applied to all "apostrophe-susceptible" strings
before the variable goes to $sqlstring - parse the string a spit each
character out to another variable. En route, if it finds a single or
double quote, it prepends a single quote escape character to it and spits
out the 2 characters in place of the one quote character.

Or change to Delphi and use its QuotedStr() function. Or ban companies
like Pete's Emporium and O'Reilly Books and Mom's Apple Pies :-))


All for Open and Open for All
Firebird Open SQL Database · ·