Just Venting... SQL Preparation

How often do you run into a website that doesn't prepare data for database entry?

It's a bloody beginners programming error and sites that claim to be 'big' have it all over the place.

AskRobo Directory for instance. Submit a description with an apostrophe and you'll get:

when clicking the confirmation links. It happended before so I dropped them a contact enquiry but now 3 months later they haven't fixed it.

I've even seen it with e-commerce software providers. How silly is that?!

Please, everyone, addslashes is such an easy PHP function and I'm sure other languages offer the same. Prepare data prior to dumping it into a database or you'll get pissed off customers like me.

 

Yeah I hear you tops. but just for the sake of knowledge, it is much better to use mysql_real_escape_string() (with MySQL) or one of the equivalents for other RDBMS. Couln't resist

 

Goes to show how many options, other than doing nothing, are out there.

 

I hardly ever disagree with you Shawn, but look at what php.net says about mysql_escape_sring

 

There are 2 kinds of servers out there when if comes to adding " \ "
the ones that have "magic_quotes_gpc = On" and the ones that have it Off in the php.ini file.

The ones that have it On add the " \ " for you, (most code is written for these)
The ones that have it Off are a pain in the b***

 

No prob, I'm just sort up a detail freak BTW, I've been mulling over making a db class, just haven't gotten around to it yet.

 

Not when it comes to AdSense. Sorry for the corss-thread humor

 

LOL is an understatement Now you're destroying my self-esteem... bad shrink

 

Yeah, all the servers I've ever used had magic quotes on. I guess the bottom line is always TEST your code, if you can do UAT on it... don't assume code that's worked before will work in different configurations.

 

You can always test to see if magic quotes is on or off at the beginning of your script, and act accordingly. Then you'll never run into a problem.