insert .. values("OH"No")

--0-627961357-1257031756=:55004
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Thanks michael, Good question/observation - I am using a main stream l=
anguage - an almost-homemade scripting language =0Awhich does have a "repla=
ce" functionality which allows me to replave a ' with \' - on a =0Aper fiel=
d basis - as i have which dozens of fields to attend to, and would have to =
code this for each field. Which is a bit clunky.=0AAnything I can do a=
t the server end? Version 5.0.45. TIA Syd=0A =0A>Yes, there are p=
lenty of smart ways to deal with this. Each of them=0A>is somewhat dependa=
nt on whatever general purpose programming language=0A>you are using and/or=
the environment you are working in. >In PHP we have mysql_escape_stri=
ng() or PDO, in perl and Java, among=0A>others, prepared statements are gen=
erally used. python appears to use=0A>prepared statements under the covers=
... it provides an similar=0A>facility, at any rate. >What are you work=
ing in? >- michael dykman =0A>On Fri, Oct 30, 2009 at 12:06 PM, =
Sydney Puente wrote:=0A>> Hello,=0A>>=0A>> I am pop=
ulating mysql with data, from an external source, that now and again in=0A>=
> different fields has single quotes within the data intended to be inserte=
d into varchars.=0A>> This causes a sql parse error.=0A>> Is there are smar=
t way of dealing with this?=0A>>=0A>> TIA=0A>>=0A>> Syd
--0-627961357-1257031756=:55004--

Re: insert .. values("OH"No")

Nope, nothing you can do on the server end. The server will only
accept syntactically correct SQL statement and broken strings will
undermine that.

In practice, if you are careful to at least escape the quotes (ie '
--> \' ), you can avoid nasty SQL injection attacks, although some
statements may sill be broken.. in some contexts, % and & are also
candidates..

How is your home-made scipting language connecting to MySQL? If you
are using the MySQL C library, there is an 'escape string' function
designed specifically to clean up strings which are to be used as
values in SQL statement.. I don't know the name of that function off
the top of my head, but I"m pretty sure 'escape' is the keyword.

- michael dykman

On Sat, Oct 31, 2009 at 7:29 PM, Sydney Puente wro=
te:
> Thanks michael,
>
> Good question/observation - I am using a main stream language - an almost=
-homemade scripting language
> which does have a "replace" functionality which allows me to replave a ' =
with \' - on a
> per field basis - as i have which dozens of fields to attend to, and woul=
d have to code this for each field.
>
> Which is a bit clunky.
> Anything I can do at the server end? Version 5.0.45.
>
> TIA
>
> Syd
>
>>Yes, there are plenty of smart ways to deal with this. =A0Each of them
>>is somewhat dependant on whatever general purpose programming language
>>you are using and/or the environment you are working in.
>
>>In PHP we have mysql_escape_string() or PDO, in perl and Java, among
>>others, prepared statements are generally used. =A0python appears to use
>>prepared statements under the covers.. it provides an similar
>>facility, at any rate.
>
>>What are you working in?
>
> =A0>- michael dykman
>
>
>>On Fri, Oct 30, 2009 at 12:06 PM, Sydney Puente w=
rote:
>>> Hello,
>>>
>>> I am populating mysql with data, from an external source, that now and =
again in
>>> different fields has single quotes within the data intended to be inser=
ted into varchars.
>>> This causes a sql parse error.
>>> Is there are smart way of dealing with this?
>>>
>>> TIA
>>>
>>> Syd
>
>
>
>



--=20
- michael dykman
- mdykman@gmail.com

"May you live every day of your life."
Jonathan Swift

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dgcdmg-mysql-2@m.gmane.o rg