I have built a website to submit timesheets for my small business. It uses SQL statements to submit data to a Microsoft Access database via ODBC. I've now noticed whenever I use a single quote in my description box, it gives me an error.
I read up on this and am hearing lots of people say 'parameterize your queries', but I'm unsure on how to do that.
I have an HTML textbox on my website as such
<textarea name="JobDescription" cols="75" rows="8" id="otherpurch"></textarea><br>
It's part of a form and is submitted along with various other things. How would I deal with the inclusion of single quotes in the description typed in this box? I have a .php file titled 'submit_form' where I'd imagine that would have to be done. What is the general procedure for parameterizing your queries? I'm a little confused on that.
Any help is immensely appreciated!
Here is how the data is sent from the textbox to the database.
$JobDescription=$_POST['JobDescription'];
$JobDescription=stripslashes($JobDescription);
$JobDescription=mysql_real_escape_string($JobDescription);
//make connection to database, bail if no connection
$connection = odbc_pconnect('db','','');
if (!$connection) { exit("Connection Failed: " . $connection); }
//Send data (usually there are many other variables being sent, but I removed them
//for the purposes of showing you just the text being sent from the description box
$sql = "INSERT INTO TimeSheet ('$JobDescription')";
$rs = odbc_exec($connection, $sql);
if (!$rs) { exit("Error in SQL");
Your intention to use parametrized SQL is correct, and Access via ODBC supports that as well.
For the functions to use instead of odbc_exec, see:
http://php.net/manual/en/function.odbc-prepare.php
http://php.net/manual/en/function.odbc-execute.php
$JobDescription=$_POST['JobDescription']; // no escaping needed!
$connection = odbc_pconnect('db','','');
if (!$connection) { exit("Connection Failed: " . $connection); }
$stmt = odbc_prepare($connection, "INSERT INTO TimeSheet (?)");
$rs = odbc_execute($stmt, array($JobDescription));