php \ escap special character problem

sinkingfish · 02-07-2007 04:35PM #1

Im trying to update an ms sql db but im strugglin with the pesky single quote. To update the db i need to covert a " ' " to " '' ". Then i try this i end up with a \. Really annoying.

$storyfixed = eregi_replace("'", "''", $story);

and

$storyfixed = eregi_replace('\'', '\'\'', $story);

are both producing the same problem

"help me'o" gets transformed into:--> 1, 'help me\''o', 'blank', CURRENT_TIMESTAMP

Anybody got any ideas?

Mr. Magoo · 02-07-2007 09:47PM

This should do it

$storyfixed = str_replace("'",'"',$story);

sinkingfish · 03-07-2007 09:29AM

Thanks for the help, we were both close...

this worked : $storyfixed = str_replace("\'","''",$story);

A little bit of trial and error!

phil · 03-07-2007 12:23PM

There's an addslashes() function in PHP which does this. You should be aware of SQL injection vulnerabilities you are opening yourself up to whenever you insert anything into an SQL database from user input fields.

It's normally wiser to use some of the database abstraction libraries knocking around like adodb.

TimTim · 04-07-2007 12:02AM

phil wrote:

There's an addslashes() function in PHP which does this. You should be aware of SQL injection vulnerabilities you are opening yourself up to whenever you insert anything into an SQL database from user input fields.

It's normally wiser to use some of the database abstraction libraries knocking around like adodb.

While I don't claim to be an anyway decent php coder. I've read/heard using addslashes() and stripslashes() in a php application is just a plain stupid thing to do.

If you are going to be using user input and putting it into a sql database mysql_real_escape_string() would better thing to use.

Inspector Gadget · 04-07-2007 01:20AM

I'd suggest the adodb library too (it's very handy, in my opinion) - it's got a method called qstr() that does exactly this.

Hope this helps,
Gadget

php \ escap special character problem

Comments