Tech or Treat! Write an article about your scariest tech disaster to win gadgets!Learn more

x
?
Solved

PHP isert quer help needed

Posted on 2014-04-18
5
Medium Priority
?
326 Views
Last Modified: 2014-05-04
Hi guys
I have the following query.
When I an insert query contains a quote (e.g. Kellog's), it fails to insert a record.

Can I just add mysql_real_escape_string around line 24?

mysql_real_escape_string(('$tkw', '$PID','$KWtkid','$kwSource_bulk','$kwType'))

Will this work?

Thanks

Matt
sample.txt
0
Comment
Question by:matthewdacruz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 3

Assisted Solution

by:bayoubeast
bayoubeast earned 1000 total points
ID: 40009838
You should use mysqli_real_escape_string and it should work.  mysql_real_escape_string should work too, but it's going to go away eventually.  You're missing some quotes in your post too, should be something like:

$inserts_sup[] = mysql_real_escape_string("('$tkw', '$PID','$KWtkid','$kwSource_bulk','$kwType')");

Open in new window


http://us3.php.net/mysql_real_escape_string
http://us3.php.net/manual/en/mysqli.real-escape-string.php
0
 
LVL 27

Assisted Solution

by:skullnobrains
skullnobrains earned 500 total points
ID: 40010057
no. you need to escape each of the values and not the whole insert block or your query will break.

rather do something like

foreach (array('tkw', 'PID','KWtkid','kwSource_bulk','kwType') as varname)
  $$varname=mysql_real_escape_string($$varname);

$inserts_sup[] = "      ('$tkw', '$PID','$KWtkid','$kwSource_bulk','$kwType')";

i personally often user var_export (or addcslashes). advantage is that it is reversible, con is that it is vulnerable to injections using c escape sequences. in web server contexts, this is generally not a problem because they'd be handled beforehand.
0
 
LVL 111

Assisted Solution

by:Ray Paseur
Ray Paseur earned 500 total points
ID: 40010373
Please see the article here.  It shows in detail, with examples, how to prepare data for use in a query, using either MySQLi or PDO.  It also shows what you must do to keep your scripts running in the future.  You cannot depend on MySQL any more.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

This page gives a mapping of the familiar but obsolete MySQL extensions to the current MySQLi and PDO extensions.
http://iconoun.com/mysql_mysqli_pdo_function_map.php

In case you're new to PHP and want to find some sturdy learning resources, check this out:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11769-And-by-the-way-I-am-new-to-PHP.html
0
 
LVL 3

Accepted Solution

by:
bayoubeast earned 1000 total points
ID: 40012933
Oops, yes they're right you need to use the function to escape each variable individually.
0
 

Author Closing Comment

by:matthewdacruz
ID: 40040089
Thanks Guys
Lot to think about
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I’ll look at how you can use a backup to start a secondary instance for MongoDB.
Instead of error trapping or hard-coding for non-updateable fields when using QODBC, let VBA automatically disable them when forms open. This way, users can view but not change the data. Part 1 explained how to use schema tables to do this. Part 2 h…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses

647 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question