*always always always* quote everything in SQL statements.
you run the risk of letting people insert arbitrary
SQL statements into your script if you dont quote values.
if you're using MySQL, try mysql_escape_string
http://php.net/manual/en/function.mysql-escape-string.php
or you could roll your own with relative ease:
function db_quote($value) {
return "'". preg_replace("/'/", "''", $value) ."'"
}
> -----Original Message-----
> From: Matt Greer [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, August 01, 2001 12:45 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP] SQL syntax error in PHP script. dunno what's wrong
>
>
> on 8/1/01 11:35 AM, Chris Worth at [EMAIL PROTECTED] wrote:
>
> >
> >
> > hey gang.
> >
> > here is my sql statement from my php script.
> >
> > $sql = "UPDATE TABLE seminar SET
> > title=$title,speaker=$speaker,event_date=$tdate,time=$time,bldg=$building
> > ,rm=$room WHERE id=$id";
> >
>
> strings in a mysql query need to be quoted. So change it to
>
> $sql = "UPDATE TABLE seminar SET title='$title',speaker='$speaker',...";
>
> Matt
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
