Re: submitting varchar string from form / escape characters

on 9/10/02 10:30 AM, hellau(at)20min(dot)ch purportedly said:

> I am using pgsql with php and have the following
> problem:
> I have a form which lets the user dynamically select a
> table, after this query he gets a list of possible
> attributes, after selecting one he can do a subquery
> and select a second attribute, and an operator, and a
> value. after this I put the final sql query string
> together like:
> $sql = "SELECT $attribute FROM $table WHERE $attribute2
> $operator $value";
> this string is now submitted to another php document
> doing the query and tabing the results out. if $value
> is a number, everything works fine, but if $value is a
> string with several words, commatas and/or spaces
> inside, I get an error message. when I try to do
> something like "'".$value."'" I always get: ERROR:
> parser: parse error at or near "\"
>
> I tryed all possibilities of escape characters I could
> think of. If somebody knows what I am missing, help
> would be apreciated.

Always use quotes regardless of a column value (numeric vs string), e.g.
'$value'. Postgres is smart enough to convert quoted numbers to numeric
values. I am not sure if there is overhead associated with this, but the
only other option is to analyze the column type and act accordingly.

Keary Suska
Esoteritech, Inc.
"Leveraging Open Source for a better Internet"