Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 94
  • Last Modified:

Why extra \ characters to the query?

I have pretty simple php-script to mssql database. When the query (execute dbo.TyoVuoro2 @het='090276-110Y') is in the script it works fine. But when query is sended ($kutsu) to the script it have extra \ characters  (execute dbo.TyoVuoro2 @het=\'090276-110Y\') and it give error: Incorrect syntax near '090276-110Y\'.

What is wrong in the script:

<?php
header('Content-Type: application/xml; charset=ISO-8859-1'); 

$kutsu = $_GET[("kutsu")];

$runSQL = true;
//........................................................................................

$value = '<?xml version="1.0" encoding="ISO-8859-1"?>';
$value .= "<flashsql>";

//........................................................................................

error_reporting(0);

//........................................................................................

$myServer = "*";
$myUser = "*";
$myPass = "*";
$myDB = "*";

//........................................................................................

function myErrorHandler($errno, $errstr, $errfile, $errline) 
{
	// Do something other than output message.
	return true;
}

$old_error_handler = set_error_handler("myErrorHandler");

//........................................................................................

//connection to the database 
$dbhandle = mssql_connect($myServer, $myUser, $myPass);
	//or die("Couldn't connect to SQL Server on $myServer");

//........................................................................................

if($runSQL)
{
	if (!$dbhandle) 
	{
		//Could not connect to database
		$value.="<database_connection>0</database_connection>";
		$value.="<error>"."<![CDATA["."Database connection OFF (oma)"."]]>"."</error>";
		$value.="<errorKysely>"."<![CDATA[".$kutsu."]]>"."</errorKysely>";
	}
	else
	{
		$value.="<database_connection>1</database_connection>";
		
		if(!mssql_select_db($myDB, $dbhandle))
		{
			//Connected to database but cannot select database
			$value.="<database_selection>0</database_selection>";
			$value.="<error>"."<![CDATA["."Database selection OFF (oma 2)"."]]>"."</error>";
			$value.="<errorKysely>"."<![CDATA[".$kutsu."]]>"."</errorKysely>";
		}
		else
		{
			//Connected to and selected database
			$value.="<database_selection>1</database_selection>";
			
			$qry_val = iconv("UTF-8", "ISO-8859-1", $kutsu);
			//$qry_val = utf8_encode($kutsu);		
			
			if(!$result = mssql_query($qry_val))
			{
				$value.="<sql>0</sql>";
				$value.="<error>"."<![CDATA[".utf8_encode(mssql_get_last_message())."]]>"."</error>";
				$value.="<errorKysely>"."<![CDATA[".$kutsu."]]>"."</errorKysely>";
			}
			else
			{
				$value.="<sql>1</sql>"; //sql ran well
				$value.="<sama>0</sama>";
				$value.="<results>";

				$num_cols = mssql_num_fields($result);
				
				$count = 1;
				
				while ($row = mssql_fetch_row($result))
				{
					$value.="<record>";
					
					for($i=0; $i<$num_cols; $i++)
					{
						$vals = "<".mssql_field_name($result,$i)."><![CDATA[".$row[$i]."]]></".mssql_field_name($result,$i).">";
						$value.=$vals;
					}
					
					$value.="</record>";
					$count++;
				}
				
				$value.="</results>";
			}
		}
	}
}

$value.="</flashsql>";

echo $value;

Open in new window

0
Mirc Klö
Asked:
Mirc Klö
1 Solution
 
Ray PaseurCommented:
The extra slashes appear to be an artifact of double escaping or magic quotes.  Not sure about that, but it's worth checking.  Details here:
https://www.experts-exchange.com/articles/6630/Magic-Quotes-a-bad-idea-from-day-one.html
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now