Page 1 of 1

Allowing ' in input fields.

Posted: Sun Mar 19, 2006 8:45 am
by sampage
When a user posts a secret question to there database profile I'd like the system to be able to accept ' symobls.

However it interprets this as part of the command and returns errors. I thought adding: $user_sq = htmlspecialchars($user_sq);
would work but it doesn't.

Any ideas how to get round this one?

Code: Select all

$user_sq = htmlspecialchars($user_sq);
// All checks complete - Update!!! 
$sql = mysql_query("UPDATE usr_table SET user_name='$new_user_name', user_email='$new_user_email', user_sa='$user_sa', user_sq='$user_sq' WHERE user_number=$user_number") or die (mysql_error());

Posted: Sun Mar 19, 2006 8:49 am
by matthijs
If you use mysql then use

Code: Select all

$user_sq = mysql_real_escape_string($user_sq);
which will escape characters as '

Thank you!

Posted: Sun Mar 19, 2006 9:01 am
by sampage
Brilliant, thank you very much! Sometimes I hate PHP, the rest of the time I love it! lol

Posted: Sun Mar 19, 2006 9:08 am
by matthijs
You're welcome.

Please note that mysql_real_escape_string is a very very important function to be able to write a safe script if you're dealing with a mysql database. It's not only a function just for escaping '. So if you're not too familiar with that function, what it does and why it is used, I would advice to read some more about it.

You don't want you application vulnarable to sql injection.