Jay Blanchard wrote: > [snip] > I'm going to be inserting data from a PHP form into a mysql field. The > data could contain special characters like < > ' " \ /, etc. How do I > handle that? just $data = addslashes(htmlspecialchars($data)); before > the insert query? because later on the data will be read back from the > mysql db and I don't want it to contain a special character that would > break the PHP script. > [/snip] > > I would use http://us3.php.net/mysql_real_escape_string Adam, As others have suggested the above function is a good route. You should *always* use some form of safe formatting for putting unsecure data (e.g. user input) into SQL statements, as this is the root cause of SQL injection attacks. If you have code in production that does not use a good method of escaping strings (and the one that's part of the actual library is a good one!), then I'd look at that sooner rather than later. Col -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
