| Subject | string guy |
|---|---|
| Author | Screawn |
| Post date | 2002-04-26T05:54:22Z |
My original question was:
//***************************************
If a user enters into a form <input name="company" type='text'>
Company_name: Dave's Company
A single quote is used to show ownership.
The php variable $company is placed within an insert statement.
$sqlstring="Insert into Customers(customer_no,company_name)values
(gen_id(gen_customer_no,1),'$company');";
.execute($sqlstring)
This works fine as long as the user doesnt enter a single quote in
the Company name field. How can the user enter a single quote without
generating an error?
//**********************************************************
Thanks for the responses. I looked at many of the suggestions and
replacing the single quote with a doulble quote works but it seems
that php addslashes() ie. adding a slash character before the single
quote doesnt work with interbase. Its seems actually much easier
just to not allow the single quote.
One more question about interbase. Our company is using Paradox and
moving to Interbase. IN paradox tables or records are
locked .INterbase supports transactions. I dont have
a complete understanding of transactions yet. In the situation below:
begin tran;
INSERT INTO invoice (...) values (...);
$parent_id = mysql_inserted_id();
for each shopping_cart_items
INSERT INTO invitems (...,invoice,..) VALUES (...,$parent_id,... );
DELETE FROM shopping_cart_items WHERE cart_id = ?
commit tran;
I can see the need for wrapping the transaction. Is this the only
time you need to use the transaction command when there are multiple
statements that need to succeed or fail.(all or nothing situation)?
So if you are just doing a single statement insert into interbase its
not necessary to wrap it in a transaction? Is there any other
situations you need to wrap something in a transaction?
//***************************************
If a user enters into a form <input name="company" type='text'>
Company_name: Dave's Company
A single quote is used to show ownership.
The php variable $company is placed within an insert statement.
$sqlstring="Insert into Customers(customer_no,company_name)values
(gen_id(gen_customer_no,1),'$company');";
.execute($sqlstring)
This works fine as long as the user doesnt enter a single quote in
the Company name field. How can the user enter a single quote without
generating an error?
//**********************************************************
Thanks for the responses. I looked at many of the suggestions and
replacing the single quote with a doulble quote works but it seems
that php addslashes() ie. adding a slash character before the single
quote doesnt work with interbase. Its seems actually much easier
just to not allow the single quote.
One more question about interbase. Our company is using Paradox and
moving to Interbase. IN paradox tables or records are
locked .INterbase supports transactions. I dont have
a complete understanding of transactions yet. In the situation below:
begin tran;
INSERT INTO invoice (...) values (...);
$parent_id = mysql_inserted_id();
for each shopping_cart_items
INSERT INTO invitems (...,invoice,..) VALUES (...,$parent_id,... );
DELETE FROM shopping_cart_items WHERE cart_id = ?
commit tran;
I can see the need for wrapping the transaction. Is this the only
time you need to use the transaction command when there are multiple
statements that need to succeed or fail.(all or nothing situation)?
So if you are just doing a single statement insert into interbase its
not necessary to wrap it in a transaction? Is there any other
situations you need to wrap something in a transaction?