How to insert single cote(') in database using PHP

ksamir2004 Peon

Messages:: 70

Likes Received:: 0

Best Answers:: 0

Trophy Points:: 0

#1

Hi All,

When ever i am inserting single cote data in ORACLE 10g database with PHP then data is not inserting. its coming out of loop.

example:
$pwd="xyz's"; //adding single cote;
$desc="abcdeg's";//adding single cote;
$query1="INSERT INTO HIGH_COST VALUES('.$pwd.','.$desc.')";

data is not going in database.

if i will insert

$pwd="xyzs";//remove single cote(')
$desc="abcdegs"; //remove single cote(')
$query1="INSERT INTO HIGH_COST VALUES('.$pwd.','.$desc.')";

this case data will go in database

Thanks
Sam

ksamir2004, Apr 24, 2008 IP

CreativeClans Peon

Messages:: 128

Likes Received:: 4

Best Answers:: 0

Trophy Points:: 0

#2

In MySQL you pass the values through MYSQL_REAL_ESCAPE_STRING, which will escape those '. I'm sure there'll be something similar for Oracle.

CreativeClans, Apr 24, 2008 IP

jestep Prominent Member

Messages:: 3,659

Likes Received:: 215

Best Answers:: 19

Trophy Points:: 330

#3

I think addslashes is the only function that you can use with Oracle.

$query1="INSERT INTO HIGH_COST VALUES('.addslashes($pwd).','.addslashes($desc).')";

You will need to run stripslashes when you pull data back out.

jestep, Apr 24, 2008 IP

andrew1056 Peon

Messages:: 196

Likes Received:: 2

Best Answers:: 0

Trophy Points:: 0

#4

Yeah, use addslashes... mysql_real_escape_string is for mysql only. For security purposes you should addslashes to everything though.

Google sql injection attacks.

andrew1056, Apr 24, 2008 IP

Louis11 Active Member

Messages:: 783

Likes Received:: 26

Best Answers:: 0

Trophy Points:: 70

#5

Just a quick little note, that I don't think anyone mentioned yet. When utilizing addslashes (or mysql_escape_string for that matter) it will in essence add a \ before every apostrophe and quote. The problem with this, at least from a display perspective, is that when you output your data it will still have the backslash in there. To alleviate this, output data wrapped in a stripslashes() function.

http://www.php.net/manual/en/function.stripslashes.php

Cheers,
Louis

Louis11, Apr 24, 2008 IP

ksamir2004 Peon

Messages:: 70

Likes Received:: 0

Best Answers:: 0

Trophy Points:: 0

#6

Hi i used addslashes function . its not working. do you have any idea how to block single cote(') from text box. if any one will try to press single cote. it will not print there.

u guys know java script. plz send script for this.

Thanks
Sam

ksamir2004, Apr 25, 2008 IP

madmax728 Banned

Messages:: 620

Likes Received:: 5

Best Answers:: 0

Trophy Points:: 0

#7

function(ele)
{
ele.value = ele.value.replace("'","\'")
return(ele.value)
}

madmax728, Apr 25, 2008 IP

exodus Well-Known Member

Messages:: 1,900

Likes Received:: 35

Best Answers:: 0

Trophy Points:: 165

#8

$pwd = md5("xyz's"); //adding single cote;
$desc = htmlentities("abcdeg's", ENT_QUOTES);
$query1 = "INSERT INTO HIGH_COST VALUES('.$pwd.','.$desc.')";
Code (markup):
First I would md5 protect any type of passwords. Adds a little bit, but still a layer of security. Next you can convert any ' or " into html codes and that will render them just like a quote when displayed to users.

exodus, Apr 25, 2008 IP

Barti1987 Well-Known Member

Messages:: 2,703

Likes Received:: 115

Best Answers:: 0

Trophy Points:: 185

#9




$pwd=mysql_real_escape_string("xy'zs");//remove single cote(')
$desc=mysql_real_escape_string("ab'cdegs"); //remove single cote(')
$query1="INSERT INTO HIGH_COST VALUES('.$pwd.','.$desc.')";

PHP:

Should work, even for oracle.

Peace,

Barti1987, Apr 25, 2008 IP

Log in or Sign up

How to insert single cote(') in database using PHP

ksamir2004 Peon

CreativeClans Peon

jestep Prominent Member

andrew1056 Peon

Louis11 Active Member

ksamir2004 Peon

madmax728 Banned

exodus Well-Known Member

Barti1987 Well-Known Member

Useful Searches