Parse an input string to check/remove quotes 1

[GreatSeaSpider]

Hi all,

I've written a script to allow the manipulation of a database. It all works fine... but... the clever ppl using it are trying to use quotes ie " or ' in the text they are adding. This is causing problems as the sql query then has mis-matched quotes!

Being quite new to php (come from a java background) could anybody show me some bits of code giving examples of string parsing/manipulation in php?

would be greatly appreciated

Pete

 

[DRJ478]

Fortunately you are not the first to encounter this. The PHP folks have a function that escapes all offending characters:

http://ca2.php.net/manual/en/function.mysql-escape-string.php

This way you need not worry about quotes etc. and malicious arguments. It is prudent to use, because what if the user were to type:

"; DROP DATABASE mysql;

This is an extreme example, where also the access privileges would need to be really badly set. However, stuff like this is possible when you don't escape the chars.

 

[GreatSeaSpider]

Superb!

Thats just what i needed

thanks very much you have saved me from a lot of work manually parsing the string

here's a start for you

Pete

 

[csniffer]

lets hope no user ever has that level of database access lol

To err is human, to completely mess up takes a computer.