Page 1 of 1

allowing ' in mysql

Posted: Sun May 10, 2009 4:48 pm
by tomsace
I have a php page to add my records into a mysql database. But if I write something such as "here's dad" it wont allow it because of the '. How can I allow this ' symbol when entering results into mysql?

I use this code to set what is entered into my database...

Code: Select all

$sql = "INSERT INTO $db_table(id, idname)
VALUES('','$_POST[id]', '$_POST[idname]')";
if($result = mysql_query($sql ,$db)) {
echo '<center><h1>Thank you</h1>Your information has been entered into our database';
}
And I simply use input forms to enter the data and name them 'idname' 'title'. Here's an example..

Code: Select all

<input type="text" name="idname" class="input" size="29">
Any help will be much apprechiated.

Re: allowing ' in mysql

Posted: Sun May 10, 2009 5:24 pm
by John Cartwright
You should always pass your data through mysql_real_escape_string() to prevent quotes, among other nasty characters, from being injected maliciously, on purpose or not.