Michael A. Peters wrote: > Bastien Koert wrote: >> On Mon, Jul 27, 2009 at 12:41 PM, Mari Masuda<mbmasuda@xxxxxxxxxxxx> >> wrote: >>> You need to sanitize and escape the input before inserting it into >>> the db. >>> You can use http://us.php.net/mysql_real_escape_string to escape the >>> input. >>> >>> On Jul 27, 2009, at 09:35, Ben Miller wrote: >>> >>>> Hi, >>>> >>>> >>>> >>>> I have a form in which my sales reps can add new clients into the >>>> database, >>>> but I'm running into a problem if the client's name includes a single >>>> quote, >>>> such as O'Henry, when it comes time to input the form data into the >>>> database >>>> table. I'm guessing I need to use ereg_replace, or something >>>> similar, to >>>> change the single quote, but I still can't seem to get the syntax >>>> right. >>>> Any help would be appreciated. For what it's worth, here is a >>>> shortened >>>> version of what I have: >>>> >>>> >>>> >>>> $ firstName = "$_POST[form_firstName]"; >>>> >>>> $ lastname = "$_POST[form_lastName]"; >>>> >>>> >>>> >>>> $query = mysql_query("INSERT INTO customers (`cust_first`,`cust_last`) >>>> VALUES ('$firstName','$lastName')"); >>>> >>>> >>>> >>>> Ben Miller >>>> >>>> >>>> >>> >>> -- >>> PHP General Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> >> >> I like to use http://ca3.php.net/manual/en/function.htmlentities.php >> > > htmlentities should not be used on the data before it goes into the > database. If used it should be used on data coming out of the database. > To summarize: You should prep your data for insertion into the data by using a tool that formats it strictly for the database. In the ops case mysql_real_escape_string() is the correct tool for the job. htmlentities() is a presentation sanitizing/cleaning tool. But, it should only be used for output to the browser, etc... Same thing with htmlspecialchars() and all other related function. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
