gpg: failed to create temporary file '/var/lib/lurker/.#lk0x569cd100.hantslug.org.uk.18239': Permission denied
gpg: keyblock resource '/var/lib/lurker/pubring.gpg': Permission denied
gpg: Signature made Wed Feb 4 12:39:58 2009 GMT
gpg: using DSA key 11BEF6408586B4B2
gpg: Can't check signature: No public key
Brian Chivers wrote:
> I'm trying to insert the text below into a mysql table but it's
> complaining, I think it's the ' that's causing the problem.
>
> childrens's/youth program (general)
>
> The table is called stream and the field I'm trying to insert into is
> called genre and it's a varchar(200) collation utf_general_ci
>
> This is the command I'm using
>
> mysql_query(INSERT INTO stream (channel, starttime, title,
> description, genre, filename) VALUES
> ('$channel','$starttime','$title','$description','$genre','$filename'));
>
>
> All the other fields work OK & if I remove the ' from $genre it works
> OK.
It sounds like you're not doing any form of input validation; you really
should, otherwise you leave yourself open to all sorts of nasty attacks.
> Did think about doing a search & replace before I insert but I'd have
> to do it on the other fields as well so I'd like to be able to solve
> it another way :-)
Instead of building a query string, you can use parameterised
statements. The Wikipedia article on SQL injection attacks[1] is worth
reading, and contains a small example of how to achieve it with PHP/MySQL.
Chris
[1]
http://en.wikipedia.org/wiki/SQL_injection
--
Chris Smith <cjs94@???>
