-1

I am attempting to insert data into a table that contains a lot of single and double quotes. 

INSERT INTO vulnerabilities_internal_test (device_type, ip_address, user_tag, 
repositoryID, severity, pluginID, pluginName, pluginText)

VALUES ("@Data.device_type~", "@Data.ip_address~", "@Data.user_tag~", 
"@Data.repositoryID~", "@Data.severity~", "@Data.pluginID~", "@Data.pluginName~", 
replace(replace("@Data.pluginText~", ',', ''), '"', '' ))

I am receiving the following error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Thorough tests" was not enabled\nwhen this scan was run.\n\nCVE : CVE-2011-1000,' at line 3

However the data looks like this:

Thorough tests" was not enabled\nwhen this scan was run.\n\nCVE : CVE-2011-1000

Does anyone have an idea why one of the double quotes being replaced with a single quote and throwing this error?

Ben
  • 153
  • 2
  • 6
  • 18

1 Answers1

0

It shouldn't matter. The problem is that your data should have all quotation marks escaped with a slash ('\'). That way, you just need to unescape the data when returning results to your code.

Ian Atkin
  • 6,302
  • 2
  • 17
  • 24
  • I have no control over the data, it is coming in from an external tool. I am just trying to insert it into a new database – Ben May 21 '12 at 17:41
  • What do you mean by no control, can't you clean the data before inserting? – edocetirwi May 21 '12 at 17:47
  • I am not sure how to, I am connected the backend database of a network scanning tool and trying to insert scan results from into a MySQL database that I set up to work with the data. – Ben May 21 '12 at 17:54
  • There would be no need to unescape the data when returning results from the db. – Marcus Adams May 21 '12 at 18:17