[TriLUG] PHP strange code question
David McDowell
turnpike420 at gmail.com
Fri Jan 7 16:10:04 EST 2005
FC3, Apache 2.x, PHP 4.3.9, and ya, MSSQL2000 is the db
$Event = "\"".$_POST['event']."\"";
$calquerya = "Insert Into Calendar (CalDate, CalEvent, OwnEvent,
TextB, TextI, TextU, Personal) Values
('$PDate',$Event,'$AUser','$TB','$TI','$TU','$P')";
Note in the above SQL statement the lack of single quotes around $Event.
The Event field comes POSTed from an HTML form with this TEXTAREA code:
<TEXTAREA name="event" rows="2" cols="30">
<?
if ($_POST['event']){
echo stripslashes($_POST['event']);
} else {
echo stripslashes($calrow1['CalEvent']);} ?>
</TEXTAREA>
Here is the reason for my question. Since Event is a TEXTAREA that
could contain contractions or ownership denoted by a single tick
(apostrophe, etc. such as: it's or David's) to POST the form to
itself, interact with the database (MSSQL) and reprocess with PHP,
$Event must be set the way you see above with the "\"" stuff, I
presume physically putting in the double quote into the string for the
SQL statement. Am I missing some facts or is this something we may
have to do on a regular basis. This is same PHP page form processing
and interaction with database intermingled. Something about this just
doesn't feel right (and no "duh, MSSQL" comments please... I can't
change that.)
This does not seem to work or meet our needs (escaping the apostrophe):
$Event = addslashes($_POST['event']);
I hope I have given enough information for parsing. Anything you see
you can throw my way would be much appreciated.
Thanks,
David
More information about the TriLUG
mailing list