Page 1 of 1

Re: When a string have an apostrophe ' is not properly read

Posted: Wed Mar 10, 2010 12:50 am
by Griven
The security risk you are referring to is called SQL Injection.

Assuming that you're using MySQL, you can avoid it by sanitizing your database inputs with the mysql_real_escape_string() function. A similar function exists for the MySQLi extension. Take the following code for example:

Code: Select all

$chat = "what's your name?";
$sanitizedchat = mysql_real_escape_string($chat);
The $sanitizedchat variable will now have all of its potentially dangerous characters escaped, so that you can safely insert it into your database.