Re: [Hampshire] A little help with php / mysql

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMMHugo Mills at <-
MMM\John Cooper at ->

Reply to this message
Author: Brian Chivers
Date:  
To: Hampshire LUG Discussion List
Subject: Re: [Hampshire] A little help with php / mysql
Hugo Mills wrote:
> On Wed, Feb 04, 2009 at 12:02:14PM +0000, Brian Chivers wrote:
>
>> I'm trying to insert the text below into a mysql table but it's complaining, I think it's the '
>> that's causing the problem.
>>
>> childrens's/youth program (general)
>>
>> The table is called stream and the field I'm trying to insert into is called genre and it's a
>> varchar(200) collation utf_general_ci
>>
>> This is the command I'm using
>>
>> mysql_query(INSERT INTO stream (channel, starttime, title, description, genre, filename) VALUES
>> ('$channel','$starttime','$title','$description','$genre','$filename'));
>>
>
>    Don't do that. :)

>
>    The problem you're seeing is the least troublesome and least
> damaging of the wide range of evil things that can happen if you write
> code like that.

>
>    If you're using the simple mysql_* functions in PHP, you should
> process *every* parameter passed to SQL through
> mysql_real_escape_string() before putting it into an SQL statement.
> However, this is still prone to breakage (if you forget to do it, for
> example).

>
> I would strongly recommend installing the MDB2[1] package from
> PEAR[2], plus the MDB2 MySQL "driver" package, and using prepared
> statements[3].
>
>    Hugo.

>
> [1] http://pear.php.net/package/MDB2/docs
> [2] http://pear.php.net/
> [3] http://pear.php.net/manual/en/package.database.mdb2.intro-execute.php
>
>
Thanks for the pointers, this is what I ended up with 

$insert_query = sprintf("INSERT INTO stream (channel, starttime, title, 
description, genre, filename) VALUES ('%s','%s','%s','%s','%s','%s')",
            mysql_real_escape_string($channel),
            mysql_real_escape_string($starttime),
            mysql_real_escape_string($title),
            mysql_real_escape_string($description),
            mysql_real_escape_string($genre),
            mysql_real_escape_string($filename));


I realise it's not perfect but as this will be used internally not using
a webpage to get the data (it's all pulled from another mysql) database
I think it should be OK.

Hugo I would install the MDB2 but this is running on a Windows box & I'm
amazed that php works at all so don't want to add anything & risk
breaking it :-)

Thanks again
Brian 

------------------------------------------------------------------------------------------------
    The views expressed here are my own and not necessarily


                the views of Portsmouth College



This message was posted to the following mailing lists:
Hampshire LUG
Mailing List Info | Nearby Messages		<-Re: [Hampshire] Stop! Unix timeRe: [Hampshire] When I'm gone?->
Hampshire LUG Mailing List Archive administrated by WebmasterLurker (version 2.3)