[ciapug] Cleaning data for db storage
Tim Perdue
ciapug@cialug.org
Fri, 19 Mar 2004 09:57:08 -0600
Dave J. Hala Jr. wrote:
> You should be able to insert those characters, if they are escaped.
> Here's a little snippet of how I do my PHP/Mysql inserts:
>
>
> $connection = db_connect("Couldnt Connect to the Database");
>
> $SQL="INSERT mytable (AFN, MMO) VALUES ( \"$afn\", \"$mmo\" )";
>
> $result= mysql_query($SQL,$connection) or die (mysql_error());
I have to rail on you for the "or die" - my #1 pet peeve for php code.
Handle the error and display a proper page header/footer, don't just
quit and throw up your hands. I've railed about this for years...
Chris, I always leave gpc_magic_quotes on in my PHP so it automatically
adds slashes to escape any ' that a user may try to insert in their strings.
You should always surround your values in an SQL statement with ' like
he did above, or more readably like this:
$SQL="INSERT mytable (AFN, MMO) VALUES ( '$afn', '$mmo' )";
$result= mysql_query($SQL,$connection);
if (!$result) {
$msg = "There was an error during update: '.mysql_error();
header();
echo $msg;
footer();
} else {
}
Never do SQL without the ' around the values or a person could hack you
and drop your tables or really mess with your system.
Tim