Bastien Koert wrote:
On Mon, Jul 27, 2009 at 12:41 PM, Mari Masuda<mbmasuda@xxxxxxxxxxxx> wrote:
You need to sanitize and escape the input before inserting it into the db.
You can use http://us.php.net/mysql_real_escape_string to escape the input.
On Jul 27, 2009, at 09:35, Ben Miller wrote:
Hi,
I have a form in which my sales reps can add new clients into the
database,
but I'm running into a problem if the client's name includes a single
quote,
such as O'Henry, when it comes time to input the form data into the
database
table. I'm guessing I need to use ereg_replace, or something similar, to
change the single quote, but I still can't seem to get the syntax right.
Any help would be appreciated. For what it's worth, here is a shortened
version of what I have:
$ firstName = "$_POST[form_firstName]";
$ lastname = "$_POST[form_lastName]";
$query = mysql_query("INSERT INTO customers (`cust_first`,`cust_last`)
VALUES ('$firstName','$lastName')");
Ben Miller
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
I like to use http://ca3.php.net/manual/en/function.htmlentities.php
htmlentities should not be used on the data before it goes into the
database. If used it should be used on data coming out of the database.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
