• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 329
  • Last Modified:

PHP isert quer help needed

Hi guys
I have the following query.
When I an insert query contains a quote (e.g. Kellog's), it fails to insert a record.

Can I just add mysql_real_escape_string around line 24?

mysql_real_escape_string(('$tkw', '$PID','$KWtkid','$kwSource_bulk','$kwType'))

Will this work?

Thanks

Matt
sample.txt
0
matthewdacruz
Asked:
matthewdacruz
4 Solutions
 
bayoubeastCommented:
You should use mysqli_real_escape_string and it should work.  mysql_real_escape_string should work too, but it's going to go away eventually.  You're missing some quotes in your post too, should be something like:

$inserts_sup[] = mysql_real_escape_string("('$tkw', '$PID','$KWtkid','$kwSource_bulk','$kwType')");

Open in new window


http://us3.php.net/mysql_real_escape_string
http://us3.php.net/manual/en/mysqli.real-escape-string.php
0
 
skullnobrainsCommented:
no. you need to escape each of the values and not the whole insert block or your query will break.

rather do something like

foreach (array('tkw', 'PID','KWtkid','kwSource_bulk','kwType') as varname)
  $$varname=mysql_real_escape_string($$varname);

$inserts_sup[] = "      ('$tkw', '$PID','$KWtkid','$kwSource_bulk','$kwType')";

i personally often user var_export (or addcslashes). advantage is that it is reversible, con is that it is vulnerable to injections using c escape sequences. in web server contexts, this is generally not a problem because they'd be handled beforehand.
0
 
Ray PaseurCommented:
Please see the article here.  It shows in detail, with examples, how to prepare data for use in a query, using either MySQLi or PDO.  It also shows what you must do to keep your scripts running in the future.  You cannot depend on MySQL any more.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

This page gives a mapping of the familiar but obsolete MySQL extensions to the current MySQLi and PDO extensions.
http://iconoun.com/mysql_mysqli_pdo_function_map.php

In case you're new to PHP and want to find some sturdy learning resources, check this out:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11769-And-by-the-way-I-am-new-to-PHP.html
0
 
bayoubeastCommented:
Oops, yes they're right you need to use the function to escape each variable individually.
0
 
matthewdacruzAuthor Commented:
Thanks Guys
Lot to think about
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now