[TriLUG] PHP strange code question

David McDowell turnpike420 at gmail.com
Fri Jan 7 16:10:04 EST 2005


FC3, Apache 2.x, PHP 4.3.9, and ya, MSSQL2000 is the db

$Event = "\"".$_POST['event']."\"";

$calquerya = "Insert Into Calendar (CalDate, CalEvent, OwnEvent,
TextB, TextI, TextU, Personal) Values
('$PDate',$Event,'$AUser','$TB','$TI','$TU','$P')";

Note in the above SQL statement the lack of single quotes around $Event.

The Event field comes POSTed from an HTML form with this TEXTAREA code:

<TEXTAREA name="event" rows="2" cols="30">
<?
        if ($_POST['event']){
                echo stripslashes($_POST['event']);
                } else {
                echo stripslashes($calrow1['CalEvent']);} ?>
</TEXTAREA>

Here is the reason for my question. Since Event is a TEXTAREA that
could contain contractions or ownership denoted by a single tick
(apostrophe, etc. such as: it's or David's) to POST the form to
itself, interact with the database (MSSQL) and reprocess with PHP,
$Event must be set the way you see above with the "\"" stuff, I
presume physically putting in the double quote into the string for the
SQL statement.  Am I missing some facts or is this something we may
have to do on a regular basis.  This is same PHP page form processing
and interaction with database intermingled.  Something about this just
doesn't feel right (and no "duh, MSSQL" comments please... I can't
change that.)

This does not seem to work or meet our needs (escaping the apostrophe):
$Event = addslashes($_POST['event']);

I hope I have given enough information for parsing.  Anything you see
you can throw my way would be much appreciated.

Thanks,
David



More information about the TriLUG mailing list