Page 1 of 1

insert data that has apostrophe

Posted: Fri Jul 21, 2006 1:51 pm
by fitchic77
What do I need to do in order to insert a value into the database that has an apostrophe.

$name = "Apostrophe's";
Insert into tablename (name)VALUES('$name')


I get an error.

Posted: Fri Jul 21, 2006 2:10 pm
by Luke

Code: Select all

Insert into tablename (name)VALUES($name)
?

Posted: Fri Jul 21, 2006 2:16 pm
by MarK (CZ)

Code: Select all

mysql_real_escape_string();

Posted: Fri Jul 21, 2006 2:17 pm
by Luke
oh yea! DUH! (bonks self on head)

Posted: Fri Jul 21, 2006 2:32 pm
by fitchic77
$address2 = addslashes($_POST['address2']); //store in database - works great
$address2A = stripslashes($_POST['address2']); //display to user

Problem I'm having is now the stripslashes isn't stripping the slash. It is still showing up as name\'s.

Any ideas?

Posted: Fri Jul 21, 2006 3:38 pm
by jmut
fitchic77 wrote:$address2 = addslashes($_POST['address2']); //store in database - works great
$address2A = stripslashes($_POST['address2']); //display to user

Problem I'm having is now the stripslashes isn't stripping the slash. It is still showing up as fitchic77\'s.

Any ideas?
there is really no reason to use addslashes anywhere in your application (at least I don't know of such case....and certainly not for escaping data for use in DB query).

The only realiable way to escape data for usage in DB query is using mysql_real_escape_string() and prepared statements.

stripslashes() you realy only need to use once :)
and this is to escape prepare properly data if you have no control over the server and magic_quotes are on.

Code: Select all

//so as first thing in the scrip you would have.

if (get_magic_quotes_gpc()) {
    $in = array(&$_GET, &$_POST, &$_COOKIE);
    while (list($k,$v) = each($in)) {
        foreach ($v as $key => $val) {
            if (!is_array($val)) {
                $in[$k][$key] = stripslashes($val);
                continue;
            }
            $in[] =& $in[$k][$key];
        }
    }
    unset($in);
}