| From: | Eric Chamberlain <Eric(dot)Chamberlain(at)zonarsystems(dot)com> |
|---|---|
| To: | "rod(at)iol(dot)ie" <rod(at)iol(dot)ie> |
| Cc: | Sylvain Racine <syracine(at)sympatico(dot)ca>, "pgsql-php(at)postgresql(dot)org" <pgsql-php(at)postgresql(dot)org> |
| Subject: | Re: Use of pg_escape_string() |
| Date: | 2009-11-23 17:31:24 |
| Message-ID: | 802753EA-EF20-481E-9314-139E761824E3@zonarsystems.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-php |
Adding an extra apostrophe is one of the ways you can escape another apostrophe with Postgre. I believe Postgre can use an extra apostrophe or a backslash... and the API call you're using just happens to elect using the extra apostrophe over the backslash. If you look at the data inserted into the database is there only one apostrophe in your data? If so, that's what it is. If there's two it could be as the previous poster said and magic quotes is enabled.
Eric Chamberlain
On Nov 22, 2009, at 11:44 AM, Raymond O'Donnell wrote:
> On 22/11/2009 19:22, Sylvain Racine wrote:
>> Hello,
>>
>> I use to hear about to escape every variables who come from user in PHP.
>> Most programmers around me use MySQL with mysql_escape_string(). Because
>> I program with PostgreSQL, I take advantage to use pg_escape_string().
>> Everything goes well, up I entered data with apostrophe(').
>> pg_escape_string() escapes my apostrophe with another apostrophe ('').
>> My data are well store in database. No error... except that appears a
>> double apostrophe. This is not what I want.
>>
>> Maybe something is wrong in my program. Here is a sample of what I use
>> to store data in table "personnes" which have two columns: firstname,
>> lastname. I remove database connection and construction of objects
>> Minute and Personnes.
>
> Where is the INSERTed data coming from? - Is it coming from data
> submitted by GET or POST? - if so, is magic_quotes_gpc turned on? If it
> is, this could explain what you're seeing.
>
> BTW, it's much better to use parametrised queries - look up
> pg_query_params in the PHP docs. This looks after all quoting for you
> automatically, and prevents SQL injection attacks.
>
> Ray.
>
>
> --
> Raymond O'Donnell :: Galway :: Ireland
> rod(at)iol(dot)ie
>
> --
> Sent via pgsql-php mailing list (pgsql-php(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-php
Confidentiality Notice: This e-mail may contain proprietary information some of which may be legally privileged. It is for the intended recipient(s) only. If you believe that it has been sent to you in error, please notify the sender by reply e-mail and delete the message. Any disclosure, copying, distribution or use of this information by someone other than the intended recipient(s) is prohibited and may be unlawful.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jorge Miranda Castañeda | 2009-12-03 07:00:16 | Problem with utf8 encoding |
| Previous Message | Raymond O'Donnell | 2009-11-22 19:44:48 | Re: Use of pg_escape_string() |