View Profile
View Forum Posts
View Forum Threads
View Friends
View Blog Entries
Reply With Quote
Check line 317
If you are new to domains and looking to buy, sell and learn about domains then you have come to the right place. DNForum is the largest domain name community on the internet and continues to grow every day. There are over 105,000 domainers on DNForum doing everything from buying domains, selling domains, learning about domains and discussing domains. Take a minute and Register.
Register Today on DNForum IT'S FREE!
Hi,
When a user signs up for my image Hosting service they
UPDATE users SET name='ZOMG, it's Cynn', username='usersemail@email.com' , password='their_password', email='usersemail@email.com' WHERE other_id='2341' You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 's Cynn', username='usersemail@email.com', in line #317
Check line 317
NETCHEAP - Discount Dotster Reseller - $7.99
FREE pushes from your dotster account, renew for $7.99! 1. Create a netcheap account. 2. Push from dotster to netcheap account name. 3. Renew for $7.99!
You have an apostrophe in name='ZOMG, it's Cynn', you gotta use double quotes i.e. name="ZOMG, it's Cynn". Enjoy!
Cogito, ergo sum!
This would work as long as you know they are going to use a single quote, but because you don't know whether the user is going to to use a single quote in their name or even a double quote: (i.e., Sam "the Man"), it's best to simply escape the variable...Originally Posted by DomainMaster
... or (less desirable), replace any single quotes with double single quotes..Code:name='".addslashes($name))."',
Code:name='".str_replace("'", "''", $name).",
Sam
--
I'm just waiting 'til the shine wears off.
If Someone would like to earn $3 via PayPal to fix this PM me.
Thanks,
--Brian R.
Code:UPDATE users SET name='ZOMG, it\'s Cynn', username='usersemail@email.com' , password='their_password', email='usersemail@email.com' WHERE other_id='2341'
Not sure about MySQL, but in MS SQL it's this:
UPDATE users SET name='ZOMG, it''s Cynn', username='usersemail@email.com' , password='their_password', email='usersemail@email.com' WHERE other_id='2341'
All incoming text MUST be protected by doubling any quotes (it will be a single quote in the DB.
Code:
name = replace(name,''','''')
If other_id is numeric you don't use quotes.
JuniperPark, IT Web Team, DomainMaster and myself have all answered your question: You have to deal with the possibility of a single quote in your form.
If you still need help, PM me your source code relating to the construction of the SQL statement, and I will send it back showing you where to escape the value to avoid this faux pas.
If your code is too large for PM you can email me at domains at diverge dot com.
Sam
--
I'm just waiting 'til the shine wears off.
Posting Permissions
]
Bookmarks