SPUG: inserting content into mysql database

Peter Darley pdarley at kinesis-cem.com
Tue Oct 3 11:01:35 PDT 2006 

JD,

    The problem with this is that it leaves you open to other types of SQL
injection, which may be an issue or not, depending on where the data is
coming from.  Also, different dbs have different ways of escaping quotes, so
formatting your data by hand loses something in terms of portability.

    I'd strongly suggest using the quote function if it's good enough in
MySQL (which I don't have an opinion about), or use place holders if the
quote isn't strong enough.

Thanks,
Peter Darley
  -----Original Message-----
  From: spug-list-bounces+pdarley=kinesis-cem.com at pm.org
[mailto:spug-list-bounces+pdarley=kinesis-cem.com at pm.org]On Behalf Of JD
Brennan
  Sent: Tuesday, October 03, 2006 10:46 AM
  To: spug-list at pm.org
  Subject: Re: SPUG: inserting content into mysql database


  In SQL you have to double the single quotes.

  update FOO set X = 'This couldn''t happen to you'

  of course there'a method in Perl to do it, as Keith
  mentioned.

  JD



  On 10/3/06, Keith Reed <keith.reed at philips.com> wrote:

    Check out dbh->quote()

    Keith







          "luis medrano" <lmzaldivar at gmail.com>
          Sent by:
          spug-list-bounces+keith.reed=philips.com at pm.org

          2006-10-03 10:35 AM
         To spug-list at pm.org
                cc

                Subject SPUG: inserting content into mysql database
                Classification












    List,

    I running this code feeding a database:
    my $sth1=$dbh->prepare("INSERT INTO wp_posts(post_author, post_date,
post_date_gmt, post_content,post_title, post_status, comment_status,
ping_status,post_name, post_modified, post_modified_gmt,guid)

VALUES('$post_author','$post_date','$post_date_gmt','@post_content','$post_t
itle','$post_status','$comment_status','$ping_status','$post_name','$post_mo
dified','$post_modified_gmt','$guid')")  or die; # "Couldnt prepare
statement: " . dbh->errstr;

           my $rv1 = $sth1->execute();


    but my problem is if any of the values of @post_content or $post_title
contain apostrophe the script show this error not executing of feeding the
database:

    DBD::mysql::st execute failed: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right
syntax to use near 's%20secret%20visits%20to%20heiress/article.do">Goldsmith
s secret visits to heir ' at line 2 at posting-news.pl

    anybody knows how can I fix this without removing the apostrophe?

    Thanks,

    Luis_____________________________________________________________
    Seattle Perl Users Group Mailing List
        POST TO: spug-list at pm.org
    SUBSCRIPTION: http://mail.pm.org/mailman/listinfo/spug-list
       MEETINGS: 3rd Tuesdays
       WEB PAGE: http://seattleperl.org/

    _____________________________________________________________
    Seattle Perl Users Group Mailing List
        POST TO: spug-list at pm.org
    SUBSCRIPTION: http://mail.pm.org/mailman/listinfo/spug-list
       MEETINGS: 3rd Tuesdays
       WEB PAGE: http://seattleperl.org/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pm.org/pipermail/spug-list/attachments/20061003/6c216ed5/attachment-0001.html

More information about the spug-list mailing list