Join Up! 104882 members and counting!

Login To PHPBuilder User Name: Password: Register A New Site Account * NOTE: This is for logging into the main site only! To login to the forums, click here

Linux Today Enterprise Linux Today Apache Today JustLinux.com Linux Planet PHPBuilder All Linux Devices Hiermenus DatabaseJournal Technology Jobs Covalent Extends Apache 2.0 to Microsoft ASP.NET ShopWorX - Support for Windows PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 Network Risk Assessment Full-Featured, Java-Based Apache GUI Templates - why and how to use them in PHP3 PHP-Based Chat Room Building a PHP Calender In Case You Missed It...The Week of August 15, 2005 Protecting MySQL Sessions With SSH Tunnel (Port Forwarding)

php-db | 2005011

From: Jochem Maas (jochem <email protected>)
Date: 01/06/05

• Next message: garycao: "[PHP-DB] how can PHP 4 extension for SQLite 3"
• Previous message: Jochem Maas: "Re: [PHP-DB] & terminates string?"
• In reply to: PHPDiscuss - PHP Newsgroups and mailing lists: "[PHP-DB] SQL statement"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

PHPDiscuss - PHP Newsgroups and mailing lists wrote:
> Hello everybody,
> I'm building a small application and I have trouble passing a POST
> variable form one page to another inside the SQL statement.
>
> The query displayed below works great without the
> ".$_POST['CompanyName']."
>
> $query_company_listing = "SELECT CompanyID, CompanyName,
> CompanyOrDepartment, BillingAddress, City, PostalCode, PhoneNumber FROM
> company WHERE company.CompanyName=".$_POST['CompanyName']." ORDER BY
> CompanyName ASC";

you need to quote the string (company name) in the actual sql, compare
the following 2 statements (lets assume companyname is 'IBM'):

WRONG (this is what you are doing now):

SELECT CompanyID, CompanyName,CompanyOrDepartment, BillingAddress, City,
PostalCode, PhoneNumber FROM company WHERE company.CompanyName=IBM
ORDER BY CompanyName ASC

RIGHT:

SELECT CompanyID, CompanyName,CompanyOrDepartment, BillingAddress, City,
PostalCode, PhoneNumber FROM company WHERE company.CompanyName='IBM'
ORDER BY CompanyName ASC

there may be times when the companyname contains a single quote - that
will break your query unless you escape the single quote in the name
before placing the string into the query string... mysql.com can tell
you more.

>
> But it messes up if I include it because the first " is considered as the
> end of the previous one and so on, so the code gets messed up.
>
> I'll really appreciate any/all help!
> Have you all an excellent year!
> Jorge
>

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

• Next message: garycao: "[PHP-DB] how can PHP 4 extension for SQLite 3"
• Previous message: Jochem Maas: "Re: [PHP-DB] & terminates string?"
• In reply to: PHPDiscuss - PHP Newsgroups and mailing lists: "[PHP-DB] SQL statement"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Columns / Articles | Tips / Quickies | News | News Linking and RSS Feeds | Shared Code Library Mail Archives | Support / Discussion Forums | Get Started! Links | Contribute! | Docs