php \ escap special character problem

sinkingfish · 02-07-2007 3:35pm #1

Im trying to update an ms sql db but im strugglin with the pesky single quote. To update the db i need to covert a " ' " to " '' ". Then i try this i end up with a \. Really annoying.

$storyfixed = eregi_replace("'", "''", $story);

and

$storyfixed = eregi_replace('\'', '\'\'', $story);

are both producing the same problem

"help me'o" gets transformed into:--> 1, 'help me\''o', 'blank', CURRENT_TIMESTAMP

Anybody got any ideas?

Mr. Magoo · 02-07-2007 8:47pm

This should do it

$storyfixed = str_replace("'",'"',$story);

sinkingfish · 03-07-2007 8:29am

Thanks for the help, we were both close...

this worked : $storyfixed = str_replace("\'","''",$story);

A little bit of trial and error!

phil · 03-07-2007 11:23am

There's an addslashes() function in PHP which does this. You should be aware of SQL injection vulnerabilities you are opening yourself up to whenever you insert anything into an SQL database from user input fields.

It's normally wiser to use some of the database abstraction libraries knocking around like adodb.

TimTim · 03-07-2007 11:02pm

phil wrote:

There's an addslashes() function in PHP which does this. You should be aware of SQL injection vulnerabilities you are opening yourself up to whenever you insert anything into an SQL database from user input fields.

It's normally wiser to use some of the database abstraction libraries knocking around like adodb.

While I don't claim to be an anyway decent php coder. I've read/heard using addslashes() and stripslashes() in a php application is just a plain stupid thing to do.

If you are going to be using user input and putting it into a sql database mysql_real_escape_string() would better thing to use.

Inspector Gadget · 04-07-2007 12:20am

I'd suggest the adodb library too (it's very handy, in my opinion) - it's got a method called qstr() that does exactly this.

Hope this helps,
Gadget

php \ escap special character problem

Comments