You need to sanitize and escape the input before inserting it into
the db. You can use http://us.php.net/mysql_real_escape_string to
escape the input.
On Jul 27, 2009, at 09:35, Ben Miller wrote:
Hi,
I have a form in which my sales reps can add new clients into the
database,
but I'm running into a problem if the client's name includes a
single quote,
such as O'Henry, when it comes time to input the form data into the
database
table. I'm guessing I need to use ereg_replace, or something
similar, to
change the single quote, but I still can't seem to get the syntax
right.
Any help would be appreciated. For what it's worth, here is a
shortened
version of what I have:
$ firstName = "$_POST[form_firstName]";
$ lastname = "$_POST[form_lastName]";
$query = mysql_query("INSERT INTO customers (`cust_first`,`cust_last`)
VALUES ('$firstName','$lastName')");
Ben Miller
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
