Escaping single quotes in SELECT statement

[shagymoe]

Hi all,

I'm new to PHP though I have good experience with Perl. My question is about escaping single quotes in a SELECT statement. I have a form which I am trying to post to a php script. I want the form data ($_POST["partnumber"] and $_POST["date"] to be used in the SELECT statement like this:

$stmt = OCIParse($conn, "select t1.seq_number, t2.ref_code, to_char(t1.insert_date, 'HH24:MI DD-MON-YY') from t1, t2 where t1.code = t2.st2 and t2.ref_code like '$_POST["partnumber"]' and t1.insert_date like '$_POST["date"]' order by t1.seq_number");

I also have some other form data that I am processing and when I change the partnumber and date fields to a value in the select statement, everything works right including the other POST data, but when I try to use the POST data in the select, I get nothing...not even an error.

I tried escaping the single quotes and tried escaping the $_ and tried putting double quotes inside the single quotes and tried escaping those and all kinds of other things...any suggestions?

 

[shagymoe]

allright, well duh. I just answered my own question.

I simply assigned the POST data to variables and used the variables in the select statement like so:

$partnumber=$_POST['partnumber'];
$date=$_POST['date'];

$stmt = OCIParse($conn, "select t1.seq_number, t2.ref_code, to_char(t1.insert_date, 'HH24:MI DD-MON-YY') from t1, t2 where t1.code = t2.st2 and t2.ref_code like '$partnumber' and t1.insert_date like '$date' order by t1.seq_number");