4

Possible Duplicate:
Correct way to escape input data before passing to ODBC

the error I am getting from querying a ODBC query is this:

(pos: 72 '...M = 'Owen O'^Donavon' AND...') - syntax error

and when I try to escape it:

(pos: 73 '... = 'Owen O\'^Donavon' AND...') - syntax error

the ^ means that is where it is breaking

I have tried the following:

NAM = '".$var."'

And also this:

NAM = '".mysql_escape_string($var)."'

then I got desperate

NAM = \"".$var."\"

Where $var is any name that contains a ' in it.

if you need the whole query:

UPDATE TABLE SET COLUMN1 = 'ERR' WHERE COLUMN_NAM = '".mysql_escape_string($var)."' AND COLUMN7 = 0");

does anybody know how I can get the quote properly escaped?

Community
  • 1
  • 1
user1873432
  • 121
  • 2
  • 8
  • `mysql_real_escape_string()` is only for use with the `mysql_*()` API, which you are not using (since you're using ODBC) – Michael Berkowski Dec 21 '12 at 22:55
  • See: [Correct way to escape input data before passing to ODBC](http://stackoverflow.com/questions/5713837/correct-way-to-escape-input-data-before-passing-to-odbc) – Michael Berkowski Dec 21 '12 at 22:55

1 Answers1

4

To include a single quote within a MySQL string literal (which is delimited by single quotes), use two single quote characters. e.g.

'I don''t like it'

Effectively, When MySQL parses that, it will see the two single quote characters, and will interpret that as one single quote within a literal, rather than seeing the "end" of the string literal.

But (as you are finding out) when you have only one single quote in there, the MySQL parser has a hissy fit over it. Consider this example:

'I don't like it'

What the MySQL parser sees there is a string literal, five characters in length, containing 'I don'. Then MySQL sees that literal as being followed by some more tokens that need to be parsed: t like it. The parser does NOT see that as part of a string literal. That previous single quote marked the end of the string literal.

So now, the MySQL parser can't make heads or tails of what t like it is supposed to be. It sees the single quote following these tokens as the beginning of another string literal. (So, you could be very clever about what appears there, and manage to get something that MySQL does understand... and that would probably be even worse.)

(NOTE: this issue isn't specific to ODBC; this affects clients that make use of string literals in MySQL query text.)

One way to avoid this type of problem is to use bind variables in your query text, vs. string literals. (But with MySQL, what's happening anyway, is that escaping, what gets sent to the MySQL server (behind the scenes, so to speak) is a string literal.

Sometimes we DO need to include string literals in our query text, and we shouldn't be required to use bind variables as a workaround. So it's good to know how to "escape" a single quote within a string literal which is enclosed in single quotes.

spencer7593
  • 106,611
  • 15
  • 112
  • 140