Single quotes in INSERT statements?

Hello all,

I'm brand spanking new to the list and have a
quick question.

I was under the impression that addslashes() would
handle single quote marks in INSERT statements,
but when I execute the following:

$sql="UPDATE images SET orderno=$orderno,
url='".addslashes($url)."',
banner=$banner,caption='".addslashes($caption)."'
WHERE imageID=$imageID";

....and $caption contains something like:

"Don't look"

....the data is chopped off at the single quote mark.

How, if not addslashes(), does one handle this?

Thanks!
--
Skip Evans
Big Sky Penguin, LLC
61 W Broadway
Butte, Montana 59701
406-782-2240

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Single quotes in INSERT statements?

Skip Evens wrote:
> Hello all,
>
> I'm brand spanking new to the list and have a
> quick question.
>
> I was under the impression that addslashes() would
> handle single quote marks in INSERT statements,
> but when I execute the following:
>
> $sql="UPDATE images SET orderno=$orderno,
> url='".addslashes($url)."',
> banner=$banner,caption='".addslashes($caption)."'
> WHERE imageID=$imageID";
>
> ...and $caption contains something like:
>
> "Don't look"
>
> ...the data is chopped off at the single quote mark.
>
> How, if not addslashes(), does one handle this?

Skip,

If you're using MySQl, try mysql_escape_string(), or
mysql_real_escape_string.
If using some other RDBMS, look for similar functions in their respective
manual(s).

You might also investigate the setting of the magic_quotes directive in
php.ini, or use
get_magic_quotes_gpc to return this value programmatically.

Hope this helps.

David

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Single quotes in INSERT statements?

Hello David & all,

No, neither mysql_escape_string or
mysql_real_escape_string worked.

Yes, I am using MySQL, should have said that, sorry.

But anyway, even with both of these functions, the
data in the string containing the single quote as
in "Don't Look" is still being truncated at the
single quote mark.

Any other suggestions would be greatly appreciated.

Skip

dpgirago@mdanderson.org wrote:
> Skip Evens wrote:
>
>>Hello all,
>>
>>I'm brand spanking new to the list and have a
>>quick question.
>>
>>I was under the impression that addslashes() would
>>handle single quote marks in INSERT statements,
>>but when I execute the following:
>>
>>$sql="UPDATE images SET orderno=$orderno,
>>url='".addslashes($url)."',
>>banner=$banner,caption='".addslashes($caption)."'
>>WHERE imageID=$imageID";
>>
>>...and $caption contains something like:
>>
>>"Don't look"
>>
>>...the data is chopped off at the single quote mark.
>>
>>How, if not addslashes(), does one handle this?
>
>
> Skip,
>
> If you're using MySQl, try mysql_escape_string(), or
> mysql_real_escape_string.
> If using some other RDBMS, look for similar functions in their respective
> manual(s).
>
> You might also investigate the setting of the magic_quotes directive in
> php.ini, or use
> get_magic_quotes_gpc to return this value programmatically.
>
> Hope this helps.
>
> David
>
>
>

--
Skip Evans
Big Sky Penguin, LLC
61 W Broadway
Butte, Montana 59701
406-782-2240

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Single quotes in INSERT statements?

Skip Evans wrote:
>>> I was under the impression that addslashes() would
>>> handle single quote marks in INSERT statements,
>>> but when I execute the following:
>>>
>>> $sql="UPDATE images SET orderno=$orderno,
>>> url='".addslashes($url)."',
>>> banner=$banner,caption='".addslashes($caption)."'
>>> WHERE imageID=$imageID";
>>>
>>> ...and $caption contains something like:
>>>
>>> "Don't look"
>>>
>>> ...the data is chopped off at the single quote mark.
>>>
>>> How, if not addslashes(), does one handle this?

Change the contents of $sql to use double quotes around the strings
instead of single - that's what real_escape_string was designed to
escape. Alternatively use str_replace to escape single quotes.

-Stut

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Single quotes in INSERT statements?

------=_Part_22324_30002371.1145992203273
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

1) Check that the string is not being truncated because of the column lengt=
h

2) If you're seeing this data being truncated in the html output of your
site, check if it isn't being caused by outputing the data without properly
encoding special html characters.

3) ..... dunno

2006/4/25, Skip Evans :
>
> Hello all,
>
> I'm brand spanking new to the list and have a
> quick question.
>
> I was under the impression that addslashes() would
> handle single quote marks in INSERT statements,
> but when I execute the following:
>
> $sql=3D"UPDATE images SET orderno=3D$orderno,
> url=3D'".addslashes($url)."',
> banner=3D$banner,caption=3D'".addslashes($caption)."'
> WHERE imageID=3D$imageID";
>
> ...and $caption contains something like:
>
> "Don't look"
>
> ...the data is chopped off at the single quote mark.
>
> How, if not addslashes(), does one handle this?
>
> Thanks!
> --
> Skip Evans
> Big Sky Penguin, LLC
> 61 W Broadway
> Butte, Montana 59701
> 406-782-2240
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

------=_Part_22324_30002371.1145992203273--

Re: Single quotes in INSERT statements?

Martin Alterisio wrote:
> 1) Check that the string is not being truncated because of the column length
>
> 2) If you're seeing this data being truncated in the html output of your
> site, check if it isn't being caused by outputing the data without properly
> encoding special html characters.
>
> 3) ..... dunno

Do a select directly from the mysql console (bypassing php) to verify
that the data is really truncated in the db and not in the output
process (per Martin's suggestion.

--John


> 2006/4/25, Skip Evans :
>> Hello all,
>>
>> I'm brand spanking new to the list and have a
>> quick question.
>>
>> I was under the impression that addslashes() would
>> handle single quote marks in INSERT statements,
>> but when I execute the following:
>>
>> $sql="UPDATE images SET orderno=$orderno,
>> url='".addslashes($url)."',
>> banner=$banner,caption='".addslashes($caption)."'
>> WHERE imageID=$imageID";
>>
>> ...and $caption contains something like:
>>
>> "Don't look"
>>
>> ...the data is chopped off at the single quote mark.
>>
>> How, if not addslashes(), does one handle this?
>>
>> Thanks!
>> --
>> Skip Evans
>> Big Sky Penguin, LLC
>> 61 W Broadway
>> Butte, Montana 59701
>> 406-782-2240
>>
>> --
>> PHP Database Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Single quotes in INSERT statements?

Martin Alterisio wrote:
> 1) Check that the string is not being truncated because of the column length
>

This was not it.

> 2) If you're seeing this data being truncated in the html output of your
> site, check if it isn't being caused by outputing the data without
> properly encoding special html characters.
>

Yup! This was it. The data was fine in the
database, so I wrapped the output with
htmlentities() and all came out good.

Thanks to Martin and all who made suggestions.

> 3) ..... dunno

See number 2 ;)

Thanks again!

--
Skip Evans
Big Sky Penguin, LLC
61 W Broadway
Butte, Montana 59701
406-782-2240

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Single quotes in INSERT statements?

------=_Part_28443_21172395.1146018640753
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

2006/4/25, Skip Evans :
>
> Martin Alterisio wrote:
> > 1) Check that the string is not being truncated because of the column
> length
> >
>
> This was not it.


I was sure it wasn't but the first rule of debugging says "never discard a
possible cause, no mather how dumb it may seem"

> 2) If you're seeing this data being truncated in the html output of your
> > site, check if it isn't being caused by outputing the data without
> > properly encoding special html characters.
> >
>
> Yup! This was it. The data was fine in the
> database, so I wrapped the output with
> htmlentities() and all came out good.
>
> Thanks to Martin and all who made suggestions.


You're welcome.

> 3) ..... dunno
>
> See number 2 ;)
>
> Thanks again!
>
> --
> Skip Evans
> Big Sky Penguin, LLC
> 61 W Broadway
> Butte, Montana 59701
> 406-782-2240
>

------=_Part_28443_21172395.1146018640753--

Re: Single quotes in INSERT statements?

> Skip Evans wrote:
>
>>Hello all,
>>
>>I'm brand spanking new to the list and have a
>>quick question.
>>
>>I was under the impression that addslashes() would
>>handle single quote marks in INSERT statements,
>>but when I execute the following:
>>
>>$sql="UPDATE images SET orderno=$orderno,
>>url='".addslashes($url)."',
>>banner=$banner,caption='".addslashes($caption)."'
>>WHERE imageID=$imageID";
>>
>>...and $caption contains something like:
>>
>>"Don't look"
>>
>>...the data is chopped off at the single quote mark.
>>
>>How, if not addslashes(), does one handle this?

> No, neither mysql_escape_string or
> mysql_real_escape_string worked.
>
> Yes, I am using MySQL, should have said that, sorry.
>
> But anyway, even with both of these functions, the
> data in the string containing the single quote as
> in "Don't Look" is still being truncated at the
> single quote mark.
>
> Any other suggestions would be greatly appreciated.

> Skip

For the archives:

Subject of this thread is misleading since the problem was not one of an
INSERT failing but of HTML not displaying properly because of quotes or
other special characters in the text in the database. Just goes to show
that the best way to get the right answer is to analyze the problem
accurately and ask the right question.

David

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Single quotes in INSERT statements?

------=_Part_7164_26228643.1146068899033
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

2006/4/26, dpgirago@mdanderson.org :
>
>
> > Skip Evans wrote:
> >
> >>Hello all,
> >>
> >>I'm brand spanking new to the list and have a
> >>quick question.
> >>
> >>I was under the impression that addslashes() would
> >>handle single quote marks in INSERT statements,
> >>but when I execute the following:
> >>
> >>$sql=3D"UPDATE images SET orderno=3D$orderno,
> >>url=3D'".addslashes($url)."',
> >>banner=3D$banner,caption=3D'".addslashes($caption)."'
> >>WHERE imageID=3D$imageID";
> >>
> >>...and $caption contains something like:
> >>
> >>"Don't look"
> >>
> >>...the data is chopped off at the single quote mark.
> >>
> >>How, if not addslashes(), does one handle this?
>
> > No, neither mysql_escape_string or
> > mysql_real_escape_string worked.
> >
> > Yes, I am using MySQL, should have said that, sorry.
> >
> > But anyway, even with both of these functions, the
> > data in the string containing the single quote as
> > in "Don't Look" is still being truncated at the
> > single quote mark.
> >
> > Any other suggestions would be greatly appreciated.
>
> > Skip
>
> For the archives:
>
> Subject of this thread is misleading since the problem was not one of an
> INSERT failing but of HTML not displaying properly because of quotes or
> other special characters in the text in the database. Just goes to show
> that the best way to get the right answer is to analyze the problem
> accurately and ask the right question.
>
> David


Well, 80% of solving a problem is finding out what the problem is. If you
ask them to solve that 80% on their own then asking for help is rather
pointless. Anyway I agree that the subject was misleading, but this was
caused by how he explained the problem, particularly on the assumption that
addslashes was not doing what it was supposed to do so. What I advise is to
avoid assumptions and just present the symptoms of the problem.

------=_Part_7164_26228643.1146068899033--

Re: Single quotes in INSERT statements?

Martin Alterisio wrote:

>2006/4/26, dpgirago@mdanderson.org :
>>
>>
>> > Skip Evans wrote:
>> >
>> >>Hello all,
>> >>
>> >>I'm brand spanking new to the list and have a
>> >>quick question.
>> >>
>> >>I was under the impression that addslashes() would
>> >>handle single quote marks in INSERT statements,
>> >>but when I execute the following:
>> >>
>> >>$sql="UPDATE images SET orderno=$orderno,
>> >>url='".addslashes($url)."',
>> >>banner=$banner,caption='".addslashes($caption)."'
>> >>WHERE imageID=$imageID";
>> >>
>> >>...and $caption contains something like:
>> >>
>> >>"Don't look"
>> >>
>> >>...the data is chopped off at the single quote mark.
>> >>
>> >>How, if not addslashes(), does one handle this?
>>
>> > No, neither mysql_escape_string or
>> > mysql_real_escape_string worked.
>> >
>> > Yes, I am using MySQL, should have said that, sorry.
>> >
>> > But anyway, even with both of these functions, the
>> > data in the string containing the single quote as
>> > in "Don't Look" is still being truncated at the
>> > single quote mark.
>> >
>> > Any other suggestions would be greatly appreciated.
>>
>> > Skip
>>
>> For the archives:
>>
>> Subject of this thread is misleading since the problem was not one of an
>> INSERT failing but of HTML not displaying properly because of quotes or
>> other special characters in the text in the database. Just goes to show
>> that the best way to get the right answer is to analyze the problem
>> accurately and ask the right question.
>>
>> David
>
> Well, 80% of solving a problem is finding out what the problem is. If you
> ask them to solve that 80% on their own then asking for help is rather
> pointless. Anyway I agree that the subject was misleading, but this was
> caused by how he explained the problem, particularly on the assumption
that
> addslashes was not doing what it was supposed to do so. What I advise is
to
> avoid assumptions and just present the symptoms of the problem.

The devil is in the detail, no?

I'm not disagreeing with you, Martin. Clearly incorrect assumptions were
made by the initial poster, and responses were consequently at first
off-base. Far be it for me to discourage anyone from asking a question,
well considered or not. And to be honest, I even rather enjoy those that
are off-topic.

My apologies if my preceding response seemed impatient or impolite. We all
once were beginners, and I still have one or more "brain dead" moments each
day. Reminds me I'm human.

David

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Single quotes in INSERT statements?

Geez, did I start all this?

I can see now that my initial assumption that
addslashes() was not doing what it was supposed to
do was wrong, and that I should have checked the
DB before firing off the message. Clearly I should
have done more investigation on my own. (Which is
often the case.)

However, the initial response that was made about
perhaps the field itself truncating the data
tipped me off to what I should have done
previously, look in the database, so once I did
that it was clear what the problem was.

And then another list member had mentioned
htmlentities() and that lit the the old proverbial
overhead bulb, and bingo: problem solved.

Perhaps a zig zag, somewhat sloppy path to the
solution, and I accept responsibility for that,
but a solution nonetheless. I must confess I'm
happy about that.

I do apologize for my assumption starting a thread
that was misnamed, and not doing the diligence
thing before firing off the message.

But I certainly do value and appreciate the
assistance given.

Skip

dpgirago@mdanderson.org wrote:
>
> Martin Alterisio wrote:
>
>
>>2006/4/26, dpgirago@mdanderson.org :
>>
>>>
>>>>Skip Evans wrote:
>>>>
>>>>
>>>>>Hello all,
>>>>>
>>>>>I'm brand spanking new to the list and have a
>>>>>quick question.
>>>>>
>>>>>I was under the impression that addslashes() would
>>>>>handle single quote marks in INSERT statements,
>>>>>but when I execute the following:
>>>>>
>>>>>$sql="UPDATE images SET orderno=$orderno,
>>>>>url='".addslashes($url)."',
>>>>>banner=$banner,caption='".addslashes($caption)."'
>>>>>WHERE imageID=$imageID";
>>>>>
>>>>>...and $caption contains something like:
>>>>>
>>>>>"Don't look"
>>>>>
>>>>>...the data is chopped off at the single quote mark.
>>>>>
>>>>>How, if not addslashes(), does one handle this?
>>>
>>>>No, neither mysql_escape_string or
>>>>mysql_real_escape_string worked.
>>>>
>>>>Yes, I am using MySQL, should have said that, sorry.
>>>>
>>>>But anyway, even with both of these functions, the
>>>>data in the string containing the single quote as
>>>>in "Don't Look" is still being truncated at the
>>>>single quote mark.
>>>>
>>>>Any other suggestions would be greatly appreciated.
>>>
>>>>Skip
>>>
>>>For the archives:
>>>
>>>Subject of this thread is misleading since the problem was not one of an
>>>INSERT failing but of HTML not displaying properly because of quotes or
>>>other special characters in the text in the database. Just goes to show
>>>that the best way to get the right answer is to analyze the problem
>>>accurately and ask the right question.
>>>
>>>David
>>
>>Well, 80% of solving a problem is finding out what the problem is. If you
>>ask them to solve that 80% on their own then asking for help is rather
>>pointless. Anyway I agree that the subject was misleading, but this was
>>caused by how he explained the problem, particularly on the assumption
>
> that
>
>>addslashes was not doing what it was supposed to do so. What I advise is
>
> to
>
>>avoid assumptions and just present the symptoms of the problem.
>
>
> The devil is in the detail, no?
>
> I'm not disagreeing with you, Martin. Clearly incorrect assumptions were
> made by the initial poster, and responses were consequently at first
> off-base. Far be it for me to discourage anyone from asking a question,
> well considered or not. And to be honest, I even rather enjoy those that
> are off-topic.
>
> My apologies if my preceding response seemed impatient or impolite. We all
> once were beginners, and I still have one or more "brain dead" moments each
> day. Reminds me I'm human.
>
> David
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

--
Skip Evans
Big Sky Penguin, LLC
61 W Broadway
Butte, Montana 59701
406-782-2240

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php