Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Why extra \ characters to the query?

Posted on 2016-09-09
2
Medium Priority
?
92 Views
Last Modified: 2016-09-15
I have pretty simple php-script to mssql database. When the query (execute dbo.TyoVuoro2 @het='090276-110Y') is in the script it works fine. But when query is sended ($kutsu) to the script it have extra \ characters  (execute dbo.TyoVuoro2 @het=\'090276-110Y\') and it give error: Incorrect syntax near '090276-110Y\'.

What is wrong in the script:

<?php
header('Content-Type: application/xml; charset=ISO-8859-1'); 

$kutsu = $_GET[("kutsu")];

$runSQL = true;
//........................................................................................

$value = '<?xml version="1.0" encoding="ISO-8859-1"?>';
$value .= "<flashsql>";

//........................................................................................

error_reporting(0);

//........................................................................................

$myServer = "*";
$myUser = "*";
$myPass = "*";
$myDB = "*";

//........................................................................................

function myErrorHandler($errno, $errstr, $errfile, $errline) 
{
	// Do something other than output message.
	return true;
}

$old_error_handler = set_error_handler("myErrorHandler");

//........................................................................................

//connection to the database 
$dbhandle = mssql_connect($myServer, $myUser, $myPass);
	//or die("Couldn't connect to SQL Server on $myServer");

//........................................................................................

if($runSQL)
{
	if (!$dbhandle) 
	{
		//Could not connect to database
		$value.="<database_connection>0</database_connection>";
		$value.="<error>"."<![CDATA["."Database connection OFF (oma)"."]]>"."</error>";
		$value.="<errorKysely>"."<![CDATA[".$kutsu."]]>"."</errorKysely>";
	}
	else
	{
		$value.="<database_connection>1</database_connection>";
		
		if(!mssql_select_db($myDB, $dbhandle))
		{
			//Connected to database but cannot select database
			$value.="<database_selection>0</database_selection>";
			$value.="<error>"."<![CDATA["."Database selection OFF (oma 2)"."]]>"."</error>";
			$value.="<errorKysely>"."<![CDATA[".$kutsu."]]>"."</errorKysely>";
		}
		else
		{
			//Connected to and selected database
			$value.="<database_selection>1</database_selection>";
			
			$qry_val = iconv("UTF-8", "ISO-8859-1", $kutsu);
			//$qry_val = utf8_encode($kutsu);		
			
			if(!$result = mssql_query($qry_val))
			{
				$value.="<sql>0</sql>";
				$value.="<error>"."<![CDATA[".utf8_encode(mssql_get_last_message())."]]>"."</error>";
				$value.="<errorKysely>"."<![CDATA[".$kutsu."]]>"."</errorKysely>";
			}
			else
			{
				$value.="<sql>1</sql>"; //sql ran well
				$value.="<sama>0</sama>";
				$value.="<results>";

				$num_cols = mssql_num_fields($result);
				
				$count = 1;
				
				while ($row = mssql_fetch_row($result))
				{
					$value.="<record>";
					
					for($i=0; $i<$num_cols; $i++)
					{
						$vals = "<".mssql_field_name($result,$i)."><![CDATA[".$row[$i]."]]></".mssql_field_name($result,$i).">";
						$value.=$vals;
					}
					
					$value.="</record>";
					$count++;
				}
				
				$value.="</results>";
			}
		}
	}
}

$value.="</flashsql>";

echo $value;

Open in new window

0
Comment
Question by:Mirc Klö
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 41791732
The extra slashes appear to be an artifact of double escaping or magic quotes.  Not sure about that, but it's worth checking.  Details here:
https://www.experts-exchange.com/articles/6630/Magic-Quotes-a-bad-idea-from-day-one.html
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question