Allowing ' in input fields.

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
sampage
Forum Newbie
Posts: 22
Joined: Sat Mar 18, 2006 6:17 pm

Allowing ' in input fields.

Post by sampage »

When a user posts a secret question to there database profile I'd like the system to be able to accept ' symobls.

However it interprets this as part of the command and returns errors. I thought adding: $user_sq = htmlspecialchars($user_sq);
would work but it doesn't.

Any ideas how to get round this one?

Code: Select all

$user_sq = htmlspecialchars($user_sq);
// All checks complete - Update!!! 
$sql = mysql_query("UPDATE usr_table SET user_name='$new_user_name', user_email='$new_user_email', user_sa='$user_sa', user_sq='$user_sq' WHERE user_number=$user_number") or die (mysql_error());
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

If you use mysql then use

Code: Select all

$user_sq = mysql_real_escape_string($user_sq);
which will escape characters as '
sampage
Forum Newbie
Posts: 22
Joined: Sat Mar 18, 2006 6:17 pm

Thank you!

Post by sampage »

Brilliant, thank you very much! Sometimes I hate PHP, the rest of the time I love it! lol
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

You're welcome.

Please note that mysql_real_escape_string is a very very important function to be able to write a safe script if you're dealing with a mysql database. It's not only a function just for escaping '. So if you're not too familiar with that function, what it does and why it is used, I would advice to read some more about it.

You don't want you application vulnarable to sql injection.
Post Reply