Editing a string to add a \ before a '

Is there a function that allows you to add a \ before a ' in a string.
This is needed to store text in a mysql db and i was wondering if there
is function which can do this to any ' which DO NOT already have one
before them, this is so i can keep editing my text without all these \
building up.

Kind regards

Marc

monomaniac21 wrote:
> Is there a function that allows you to add a \ before a ' in a string.
> This is needed to store text in a mysql db and i was wondering if there
> is function which can do this to any ' which DO NOT already have one
> before them, this is so i can keep editing my text without all these \
> building up.
>
> Kind regards
>
> Marc
>
see addslashes()

-david-

you also might want to try str_replace("'", "\\'", $string);

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

monomaniac21 wrote:

> Is there a function that allows you to add a \ before a ' in a string.
> This is needed to store text in a mysql db

Use mysql_escape_string().

- --
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net

Un ordenador no es un televisor ni un microondas, es una herramienta
compleja.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD5NFj3jcQ2mg3Pc8RAl4VAJ9rlqun4z2P9TjfvBJadv NvDyLdbQCfQb2E
s9+gsTKP7sP1FwBL6J80k/Q=
=D5YK
-----END PGP SIGNATURE-----

monomaniac21 wrote:
> Is there a function that allows you to add a \ before a ' in a string.
> This is needed to store text in a mysql db and i was wondering if there
> is function which can do this to any ' which DO NOT already have one
> before them, this is so i can keep editing my text without all these \
> building up.
>
> Kind regards
>
> Marc
>

I just include it in the insert statement since you must know the
datatype at insert time

$sqli = "insert into tableA values ";
$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";

Michael Austin
DBA.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

noone wrote:

> $sqli = "insert into tableA values ";
> $sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";

PHP security 101: never ever put values posted by a user directly into a DB
query, without checking them, escaping them, and treating them as nuclear
waste.

The above is a very clear example of a SQL injection vulnerability.

- --
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net

http://acm.asoc.fi.upm.es/~mr/
Proudly running Debian Linux with 2.6.12-1-686 kernel, KDE3.5.0, and PHP
5.1.2-1 generating this signature.
Uptime: 20:16:47 up 23:45, 2 users, load average: 0.21, 0.37, 0.26

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD5P3u3jcQ2mg3Pc8RApygAJsGphJajK7EBcNSs3mgvb 6LJ2oEigCfc4Md
8oq3CdWHeuGdAbzmVKbqEtY=
=3ktL
-----END PGP SIGNATURE-----

Iván Sánchez Ortega wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> noone wrote:
>
>
>>$sqli = "insert into tableA values ";
>>$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";
>
>
> PHP security 101: never ever put values posted by a user directly into a DB
> query, without checking them, escaping them, and treating them as nuclear
> waste.
>
> The above is a very clear example of a SQL injection vulnerability.
>
> - --

goes without saying... merely a test example of how to enclose the
varchar data with single-quote "'".

You also want to use a platform that is nearly impossible to crack. My
choice is OpenVMS from HP - formerly Compaq - formerly Digital Equipment
Corp (aka DEC).

more scalable and has REAL clusters - not these pretend clusters like
Veritas and Microsoft (bbbbarrfff).

I also prefer Apache/Oracle Rdb - formerly DEC/Rdb and not to be
confused with Oracle RDBMS (8/9/10g) and PHP.

M.

> - ----------------------------------
> Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net
>
> http://acm.asoc.fi.upm.es/~mr/
> Proudly running Debian Linux with 2.6.12-1-686 kernel, KDE3.5.0, and PHP
> 5.1.2-1 generating this signature.
> Uptime: 20:16:47 up 23:45, 2 users, load average: 0.21, 0.37, 0.26
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFD5P3u3jcQ2mg3Pc8RApygAJsGphJajK7EBcNSs3mgvb 6LJ2oEigCfc4Md
> 8oq3CdWHeuGdAbzmVKbqEtY=
> =3ktL
> -----END PGP SIGNATURE--

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

noone wrote:

>>>$sqli = "insert into tableA values ";
>>>$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")";
>
> goes without saying... merely a test example of how to enclose the
> varchar data with single-quote "'".

That's an example of a SQL injection, you should know that, and you should
teach newbies to use RDBMS-specific techniques of escaping alphanumeric
data prior to its usage in any SQL statement instead of posting such an
example.

This is how it should be done:

<?php
$varchar = mysql_real_escape_string($_POST['varchar']);
$integer = (int) $_POST['integer'];
$sqli = "insert into tableA values ('$varchar',$integer)";
?>

I will reiterate myself. Never ever trust *any* data entered by *any* user.

> You also want to use a platform that is nearly impossible to crack.

Why should I matter about the platform, if anybody can inject SQL??

- --
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net

Realidómetro: [\.......] Hmmm! No debe de funcionar.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD5V+t3jcQ2mg3Pc8RAhhBAJ47q4fcUY82N6Fz9iigEJ qaaQHNiACfVVHo
bKJv8KIXNnXuTjqv3sXXTCc=
=lFc5
-----END PGP SIGNATURE-----

On 2006-02-04, David Haynes <david.haynes2@sympatico.ca> wrote:
> monomaniac21 wrote:
>> Is there a function that allows you to add a \ before a ' in a string.
>> This is needed to store text in a mysql db and i was wondering if there
>> is function which can do this to any ' which DO NOT already have one
>> before them, this is so i can keep editing my text without all these \
>> building up.
>>
>> Kind regards
>>
>> Marc
>>
> see addslashes()
>
and stripslashes()

Bye.
Jasen

On 2006-02-04, mjs7231 <mjs7231@gmail.com> wrote:
> you also might want to try str_replace("'", "\\'", $string);


$string="don\\'t do that.";



Bye.
Jasen