Re: [SQL] What do I need to escape in an Insert ? - Mailing list pgsql-sql

From Daniele Orlandi
Subject Re: [SQL] What do I need to escape in an Insert ?
Date
Msg-id 35C1B80B.325F111D@orlandi.com
Whole thread Raw
In response to Re: [SQL] What do I need to escape in an Insert ?  (Bruce Momjian <maillist@candle.pha.pa.us>)
List pgsql-sql
Bruce Momjian wrote:
>
> > I'm not sure if PHP's addslashes command will take care of single
> > quotes, I haven't tried it yet. I believe the proper escape for a
> > single quote in SQL is to put another single quote in front of it.
> > So if a person's last name is "O'Brien" it would be inserted as:
> >
> > INSERT INTO personel (fname,lname) VALUES ('Michael','O''Brien');
> >
> > So what I do is a Regular Expression Replace in PHP, like this:
> >
> >    $lname = ereg_replace("'", "''", $lname);
>
> But this does not handle backslashes in the string.  I think the PHP
> function does both.

Looking at the source of the Bug Database at php.net, I noticed that strings are
inserted as they are, without any escaping. I still don't know where and why,
but PHP seems to escape quotes and slashes by itself when working with strings.

For example, I have the following code in my page:

$Query=sprintf("INSERT INTO bugdb (email,sdescr,ldescr,version,status) VALUES (
'%s','%s','%s','%s','Open' )",$EMail,$SDescr,$LDescr,$Version);

echo $Query;

In the textarea (ltext) I put:

\\
\n
'
"
abc

And the resulting query is:

INSERT INTO bugdb (email,sdescr,ldescr,version,status) VALUES (
'daniele@orlandi.com','Test3','\\\\ \\n \' \" abc','3.0.0','Open' )

Well, I've not yet been able to confuse PostgreSQL and everything i get from a
select is identical to what I put with the insert.

Bye!

--
 Daniele

-------------------------------------------------------------------------------
Why use Windows, since there is a door?
(By fachat@galileo.rhein-neckar.de, Andre Fachat)
-------------------------------------------------------------------------------
 Se telecom italia aggiungesse uno scatto al giorno ad ogni abbonato, dal
 primo Gennaio avrebbe rubato 671.633.000.000 Lire.
-------------------------------------------------------------------------------
 Daniele Orlandi - Utility Line Italia - http://www.orlandi.com
 Via Mezzera 29/A - 20030 - Seveso (MI) - Italy
-------------------------------------------------------------------------------

pgsql-sql by date:

Previous
From: "G.Elangovan "
Date:
Subject: Back-up through SQL!!!!
Next
From: Roberto Joao Lopes Garcia
Date:
Subject: Query from 2 data base