Page 1 of 1

escaping quotes from a string for database insertion

Posted: Tue Nov 18, 2003 2:12 pm
by conundrum
Does anyone know how to escape quotes from a string for insertion into a database?

Let's say there is a field called 'title' in which the user types the following:

Bob's "fantastic" title

or something to that effect. I want to be able to save that in a database (microsoft server). I know that I need to escape all the single and double quotes before I can insert it.

I have tried the following:
$report_title=addslashes($_SESSION['rptTitle']);
//this only escaped the single quote

so i tried eregi_replace, but wasn't sure how to make it work properly in this instance.
$noquotes=eregi_replace("\"","\\"",$report_title);
//i know that is wrong, but i want to prepend all quotes with an escape. Any thoughts?

Thanks

[EDIT]
Not solved yet, but I just remembered I have to use 2 single quotes to escape a single qoute in msServer
[/EDIT]

Posted: Tue Nov 18, 2003 3:04 pm
by JayBird
From manual wrote: string addslashes ( string str)


Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).
Add slashes DOES work

Posted: Tue Nov 18, 2003 3:19 pm
by McGruff
Also mysql_escape_string().

Posted: Tue Nov 18, 2003 3:32 pm
by hedge
I don't think that SQLServer will understand the \ escaping, You will probably only need to escape single quotes by doubling them up.. double quotes are not usually an issue.

Posted: Tue Nov 18, 2003 6:26 pm
by m3mn0n
True.

Posted: Wed Nov 19, 2003 8:22 am
by conundrum
Bech100 wrote:
From manual wrote: string addslashes ( string str)


Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).
Add slashes DOES work
I figured it should too, but for some reason it is not. Does anyone know if a string containing a combination of single and double quotes will only addslashes to one but not the other? This is what appears to be happening in my case.

However, I did edit my original post immediately and said that I figured slashes wouldn't do it anyway.

escape quotes by prepending a single quote to the front of each for msServer to be happy.

Any thoughts?