submitting varchar string from form / escape characters

submitting varchar string from form / escape characters

am 10.09.2002 18:30:21 von hellau

hi all,

I am using pgsql with php and have the following
problem:
I have a form which lets the user dynamically select a
table, after this query he gets a list of possible
attributes, after selecting one he can do a subquery
and select a second attribute, and an operator, and a
value. after this I put the final sql query string
together like:
$sql = "SELECT $attribute FROM $table WHERE $attribute2
$operator $value";
this string is now submitted to another php document
doing the query and tabing the results out. if $value
is a number, everything works fine, but if $value is a
string with several words, commatas and/or spaces
inside, I get an error message. when I try to do
something like "'".$value."'" I always get: ERROR:
parser: parse error at or near "\"

I tryed all possibilities of escape characters I could
think of. If somebody knows what I am missing, help
would be apreciated.


Tom

Get your free mail account @ http://www.20min.ch - Your Urban Update Tool

---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org

Re: submitting varchar string from form / escape characters

am 10.09.2002 20:42:46 von Keary Suska

on 9/10/02 10:30 AM, hellau@20min.ch purportedly said:

> I am using pgsql with php and have the following
> problem:
> I have a form which lets the user dynamically select a
> table, after this query he gets a list of possible
> attributes, after selecting one he can do a subquery
> and select a second attribute, and an operator, and a
> value. after this I put the final sql query string
> together like:
> $sql = "SELECT $attribute FROM $table WHERE $attribute2
> $operator $value";
> this string is now submitted to another php document
> doing the query and tabing the results out. if $value
> is a number, everything works fine, but if $value is a
> string with several words, commatas and/or spaces
> inside, I get an error message. when I try to do
> something like "'".$value."'" I always get: ERROR:
> parser: parse error at or near "\"
>
> I tryed all possibilities of escape characters I could
> think of. If somebody knows what I am missing, help
> would be apreciated.

Always use quotes regardless of a column value (numeric vs string), e.g.
'$value'. Postgres is smart enough to convert quoted numbers to numeric
values. I am not sure if there is overhead associated with this, but the
only other option is to analyze the column type and act accordingly.

Keary Suska
Esoteritech, Inc.
"Leveraging Open Source for a better Internet"


---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster