On Mon, Jul 27, 2009 at 12:41 PM, Mari Masuda<mbmasuda@xxxxxxxxxxxx> wrote: > You need to sanitize and escape the input before inserting it into the db. > You can use http://us.php.net/mysql_real_escape_string to escape the input. > > On Jul 27, 2009, at 09:35, Ben Miller wrote: > >> Hi, >> >> >> >> I have a form in which my sales reps can add new clients into the >> database, >> but I'm running into a problem if the client's name includes a single >> quote, >> such as O'Henry, when it comes time to input the form data into the >> database >> table. I'm guessing I need to use ereg_replace, or something similar, to >> change the single quote, but I still can't seem to get the syntax right. >> Any help would be appreciated. For what it's worth, here is a shortened >> version of what I have: >> >> >> >> $ firstName = "$_POST[form_firstName]"; >> >> $ lastname = "$_POST[form_lastName]"; >> >> >> >> $query = mysql_query("INSERT INTO customers (`cust_first`,`cust_last`) >> VALUES ('$firstName','$lastName')"); >> >> >> >> Ben Miller >> >> >> > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > I like to use http://ca3.php.net/manual/en/function.htmlentities.php -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
