htmlspecialchars is used to include your string in html, which is something entirely different than SQL queries.
If $s is some user input (possibly containing quotes, backslashes and whatnot), use
mysql_real_escape_string($s) before using it in SQL queries. For example:
Code: Select all
$s = $_POST['name'];
$s2 = mysql_real_escape_string($s);
mysql_query("UPDATE fanclub SET name='$s2' WHERE id=16"); // using $s instead of $s2 here would be wrong!
This ain't just to avoid problems with quotes, but also for security reasons (to prevent injection hacks, otherwise guess what would happen if some bozo enters "
x'; DROP TABLE fanclub;" as his name?)