fshock Posted June 21, 2011 Share Posted June 21, 2011 I'm using php for function here: for($i=1; ; $i++){ if($i > 8){ break; } if(!empty(${qb.$i})){ $query .= "qb".$i."=".${qb.$i}.","; $query .= "qbname".$i."=".${qbname.$i}.","; } } echo'ed $query shows something like this:qb1=2007,qbname1=Earth Quake,qb2=2008,qbname2=Fire ballThe problem is that i can't inject this to mysql, becouse i need somehow to 'quote ' the qbname's. How should i implement THAT into my for loop?p.s. this would be correct: qb1=2007,qbname1='Earth Quake',qb2=2008,qbname2='Fire ball' Link to comment Share on other sites More sharing options...
justsomeguy Posted June 21, 2011 Share Posted June 21, 2011 Just add quote characters in the string before and after the value. You'll also want to use the mysql_real_escape_string function to protect against SQL attacks or problems.http://us.php.net/manual/en/function.mysql...cape-string.phpAlso, instead of this:for($i=1; ; $i++){ if($i > 8){ break; }It makes more sense to do this:for($i=1; $i <= 8; $i++){ Link to comment Share on other sites More sharing options...
fshock Posted June 21, 2011 Author Share Posted June 21, 2011 I've used "'${something.$i}'" and works with mysql. will read about real_escape thingie.Thanks, Just Some Guy :)edit: and I was stripping non-alphanumeric chars, is it as good as real_escape? Link to comment Share on other sites More sharing options...
Synook Posted June 22, 2011 Share Posted June 22, 2011 Stripping characters will result in data loss - if you just want to make your data safe it is much better to escape the sensitive characters (e.g. by using mysql_real_escape_string()). Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.