How to handle apostrophs and semicolons

[Stefan Mueller]

I've a web page with several input boxes. After the user clicks 'submit' I
insert these data into my MySQL database.
This worked for several months perfect. But today a user entered the street
name
Route d'Yverdon 59

unfortunately the data has not been inserted into my MySQL database because
of the apostroph (') in the name of the street.

I've no idea how to deal with this problem.
Is there any possibility to avoid that my PHP & Java scripts don't interpret
apostrophs (') and semicolons (")?

Stefan

 

[TheBagbournes]

I've a web page with several input boxes. After the user clicks 'submit' I
insert these data into my MySQL database.
This worked for several months perfect. But today a user entered the street
name
Route d'Yverdon 59

unfortunately the data has not been inserted into my MySQL database because
of the apostroph (') in the name of the street.

I've no idea how to deal with this problem.
Is there any possibility to avoid that my PHP & Java scripts don't interpret
apostrophs (') and semicolons (")?

Stefan

I don't think this is a javascript problem. At a guess, the back end PHP
will be creating SQL statements using string concatenation, and putting
the values from the form fields into strings delimited by apostrophes.

This exposes you to security risks because of the problem shown above -
the apostrophe ends the string, and anything the user types after it is
interpreted as *part of the SQL statement*!

Look at
http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html

Nige

 

[John]

Hi.

Looks like a PHP query. Look at the following two links:

www.php.net/addslashes
www.php.net/stripslashes

Regards
John

 

[Dr John Stockton]

JRS: In article <[email protected]>, dated Sat, 11 Mar 2006
10:30:21 remote, seen in Stefan Mueller

I've a web page with several input boxes. After the user clicks 'submit' I
insert these data into my MySQL database.
This worked for several months perfect. But today a user entered the street
name
Route d'Yverdon 59

unfortunately the data has not been inserted into my MySQL database because
of the apostroph (') in the name of the street.

I've no idea how to deal with this problem.
Is there any possibility to avoid that my PHP & Java scripts don't interpret
apostrophs (') and semicolons (")?

Any string input by the user needs to be checked to make sure (at least)
that it contains no harmful characters and is of safe length.

That *can* be done at the client, so that the user can correct before
transmission. But it *must* be done at the server end, if only to
defend against malice. You may be able to replace the offending
character by a similar but harmless one, or to precede it with an escape
character (maybe \), or render it in Unicode or similar.

Omitting quibble, ' is apostrophe or single-quote, " is quote or double-
quote, and semicolon or semi-colon is ; .

You'll need to check language specifications to see what is allowed.

Note that in javascript a'b"c is a legitimate string, and can be
entered by way of a text control. But it cannot be written in that form
as a literal, though "a'b\"c" and 'a\'b"c' and "a\u0027b\u0022c"
can (E&OE) be used in code.