| str_replace ? [message #183349] |
Mon, 21 October 2013 00:48  |
Mr Oldies
Messages: 241
Registered: October 2013
Karma: 0
|
Senior Member |
|
|
In my database I am noting that none of the song names containing a single
quote are being written.
If I use str_replace, how exactly should I write it?
The php manual is not all that clear.
http://php.net/manual/en/function.str-replace.php
e.g.
Name of song is "I'm Sorry".
$song=str_replace($song,"'%");
|
|
|
|
|
|
| Re: str_replace ? [message #183356 is a reply to message #183349] |
Mon, 21 October 2013 01:06  |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 10/20/2013 8:48 PM, richard wrote:
> In my database I am noting that none of the song names containing a single
> quote are being written.
> If I use str_replace, how exactly should I write it?
>
> The php manual is not all that clear.
> http://php.net/manual/en/function.str-replace.php
>
> e.g.
>
> Name of song is "I'm Sorry".
>
> $song=str_replace($song,"'%");
>
As you've been told may times before. ALL strings used in accessing ANY
SQL database need to be escaped.
You're not doing that.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: str_replace ? [message #183357 is a reply to message #183352] |
Mon, 21 October 2013 01:55 |
Mr Oldies
Messages: 241
Registered: October 2013
Karma: 0
|
Senior Member |
|
|
On Sun, 20 Oct 2013 21:02:10 -0400, Lew Pitcher wrote:
> On Sunday 20 October 2013 20:48, in comp.lang.php, "richard"
> <noreply(at)example(dot)com> wrote:
>
>> In my database I am noting that none of the song names containing a single
>> quote are being written.
>> If I use str_replace, how exactly should I write it?
>
> By using mysql_real_escape_string()
>
> http://ca1.php.net/manual/en/function.mysql-real-escape-string.php
>
> See example #1, and modify for INSERT
I don't quite follow the example.
What I have is this:
$played=$playme[$number][2];
mysql_query(
"INSERT INTO top20 (songs,name,hits)
VALUES (' ".$song." ',' ".$played." ',1)
ON DUPLICATE KEY UPDATE hits=hits+1");
Assume that $played="I'm Sorry".
Please show me how and where to put the proper coding.
|
|
|
|
| Re: str_replace ? [message #183360 is a reply to message #183357] |
Mon, 21 October 2013 02:11 |
David Robley
Messages: 23
Registered: March 2013
Karma: 0
|
Junior Member |
|
|
richard wrote:
> On Sun, 20 Oct 2013 21:02:10 -0400, Lew Pitcher wrote:
>
>> On Sunday 20 October 2013 20:48, in comp.lang.php, "richard"
>> <noreply(at)example(dot)com> wrote:
>>
>>> In my database I am noting that none of the song names containing a
>>> single quote are being written.
>>> If I use str_replace, how exactly should I write it?
>>
>> By using mysql_real_escape_string()
>>
>> http://ca1.php.net/manual/en/function.mysql-real-escape-string.php
>>
>> See example #1, and modify for INSERT
>
> I don't quite follow the example.
> What I have is this:
>
$played = mysql_real_escape_string($playme[$number][2]);
>
> mysql_query(
> "INSERT INTO top20 (songs,name,hits)
> VALUES (' ".$song." ',' ".$played." ',1)
> ON DUPLICATE KEY UPDATE hits=hits+1");
>
> Assume that $played="I'm Sorry".
>
> Please show me how and where to put the proper coding.
Use the above; this is simpler than trying to introduce you to the
complexities of sprintf. You should use mysql_real_escape_string on any
strings you send to mysql.
--
Cheers
David Robley
"I teach at a university," Tom professed.
|
|
|
|
|
|
| Re: str_replace ? [message #183386 is a reply to message #183349] |
Mon, 21 October 2013 18:43 |
Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Sun, 20 Oct 2013 20:48:26 -0400, richard wrote:
> In my database I am noting that none of the song names containing a
> single quote are being written.
There are some functions that have been suggested to you time and time
again over the years for making strings safe for use within urls, within
sql databases, and within html.
The fact that you still ask these questions shows that you do not absorb
the answers when they are given to you.
Therefore, there is now no point in providing the correct answers to
these questions.
Instead, here is a suggestion. In future, before posting a question here,
try entering into google (or any other search engine of your choice) the
question you wish to ask, for example:
<url:http://lmgtfy.com/?q=how+do+i+use+php+strings+with+single+quotes+in
+sql+queries>
Wow, the 4th through 7th replies point to php online manual pages. I
wonder if any of those might refer to the function needed. Best go read
them and see.
--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
|
|
|
|
| Re: str_replace ? [message #183389 is a reply to message #183386] |
Mon, 21 October 2013 23:10 |
Norman Peelman
Messages: 126
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 10/21/2013 02:43 PM, Denis McMahon wrote:
> On Sun, 20 Oct 2013 20:48:26 -0400, richard wrote:
>
>> In my database I am noting that none of the song names containing a
>> single quote are being written.
>
> There are some functions that have been suggested to you time and time
> again over the years for making strings safe for use within urls, within
> sql databases, and within html.
>
> The fact that you still ask these questions shows that you do not absorb
> the answers when they are given to you.
>
> Therefore, there is now no point in providing the correct answers to
> these questions.
>
> Instead, here is a suggestion. In future, before posting a question here,
> try entering into google (or any other search engine of your choice) the
> question you wish to ask, for example:
>
> <url:http://lmgtfy.com/?q=how+do+i+use+php+strings+with+single+quotes+in
> +sql+queries>
>
> Wow, the 4th through 7th replies point to php online manual pages. I
> wonder if any of those might refer to the function needed. Best go read
> them and see.
>
What I've noticed is that whenever he is given something to learn, he
disappears... he only want lines of code he can cut-n-paste.
--
Norman
Registered Linux user #461062
-Have you been to www.php.net yet?-
|
|
|
|
| Re: str_replace ? [message #183390 is a reply to message #183349] |
Mon, 21 October 2013 23:14 |
Norman Peelman
Messages: 126
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 10/20/2013 08:48 PM, richard wrote:
> In my database I am noting that none of the song names containing a single
> quote are being written.
> If I use str_replace, how exactly should I write it?
>
> The php manual is not all that clear.
> http://php.net/manual/en/function.str-replace.php
>
> e.g.
>
> Name of song is "I'm Sorry".
>
> $song=str_replace($song,"'%");
>
I really don't understand how you come up with that example. The
manual is perfectly clear. But that's not your problem.
--
Norman
Registered Linux user #461062
-Have you been to www.php.net yet?-
|
|
|
|
| Re: str_replace ? [message #183411 is a reply to message #183349] |
Wed, 23 October 2013 17:04 |
Tobiah
Messages: 30
Registered: April 2011
Karma: 0
|
Member |
|
|
On 10/20/2013 05:48 PM, richard wrote:
> In my database I am noting that none of the song names containing a single
> quote are being written.
> If I use str_replace, how exactly should I write it?
>
> The php manual is not all that clear.
> http://php.net/manual/en/function.str-replace.php
>
> e.g.
>
> Name of song is "I'm Sorry".
>
> $song=str_replace($song,"'%");
>
You can also use parameter substitution with
mysqli.
|
|
|
|
| Re: str_replace ? [message #183423 is a reply to message #183411] |
Thu, 24 October 2013 00:03 |
Scott Johnson
Messages: 196
Registered: January 2012
Karma: 0
|
Senior Member |
|
|
On 10/23/2013 10:04 AM, Tobiah wrote:
> On 10/20/2013 05:48 PM, richard wrote:
>> In my database I am noting that none of the song names containing a
>> single
>> quote are being written.
>> If I use str_replace, how exactly should I write it?
>>
>> The php manual is not all that clear.
>> http://php.net/manual/en/function.str-replace.php
>>
>> e.g.
>>
>> Name of song is "I'm Sorry".
>>
>> $song=str_replace($song,"'%");
>>
>
> You can also use parameter substitution with
> mysqli.
mysqli is a dirty word to Richard.
Scotty
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]