CODEWITHSUNDEEP
mysqloracle-databaseinsertquotesapostrophe
Prat
Prat

Reputation: 529

How to insert result of mysql_real_escape_string() into oracle database?

For inserting special characters in data like (,')etc., I am using mysql_real_escape_string() function & it's working fine.

Now I want to use same variable while inserting values in Oracle.

$str = 'N.G.Palace\'s Building',
    'xyzcity', '12345678','India','100001',12

Here $str is result of mysql_real_escape_string(). so it escapes special character. Now my code for oracle is like this-:

 $qry ="INSERT INTO Ora_table(ship_to_street, ship_to_city,ship_to_country, ship_to_telephone, order_id, record_no) VALUES(".$str);

So my doubt is Oracle is not accepting values return by mysql_real_escape_string i.e. Palace\'s (like this as this mysql function attach \ before 'single quote)? So can anybody tell me ho9w can I use that variable $str to insert data into Oracle?

Also I tried like this also-:

"q"."'"."c".$str."c"."'"

can we use this for multiple values like in my case...though still I am unable to inser data in oracle?

HOW to insert special characters in Oracle db?
like 'SWEET/HOME', 'CROY-BOY' etc. /,-,\ etc.

please tell me..

Upvotes: 0

Views: 2112

Answers (2)

Straseus
Straseus

Reputation: 478

From: http://www.php.net/manual/en/function.stripslashes.php#94758

function no_magic_quotes($query) {

        $data = explode("\\",$query);
        $cleaned = implode("",$data);
        return $cleaned;
}

// I'm using mysql_escape_string as a simple example, but this function would work for any escaped string.
$query = "It's amazing! Who's to say this isn't a simple function?";
$badstring = mysql_escape_string($query);

echo '<b>Without function:</b> '.$badstring;
echo '<br><br>';
echo '<b>With function:</b> '.no_magic_quotes($badstring);

Upvotes: -2

Bob Jarvis - Слава Україні
Bob Jarvis - Слава Україні

Reputation: 50077

I strongly urge you not to build queries by appending strings together. This is a ticket straight to hell - or to SQL Injection City, which is one stop earlier. :-) Seriously, though, if you use parameter markers and bind the values to the parameter markers you gain a couple of advantages:

  1. You don't have to escape anything, and
  2. No worries about SQL injection.

Share and enjoy.

Upvotes: 3

Related Questions