I think mysql_real_escape_string() is work well, but if you are use mysql db, if you are using another db, the best function is addslashes but for another special charactes you will need treat them with another ways Yuri Yarlei. Programmer PHP, CSS, Java, PostregreSQL; Today PHP, tomorrow Java, after the world. Kyou wa PHP, ashita wa Java, sono ato sekai desu. > Date: Mon, 27 Jul 2009 11:10:08 -0700 > From: lists@xxxxxxxxx > To: mpeters@xxxxxxx > CC: phpster@xxxxxxxxx; mbmasuda@xxxxxxxxxxxx; biprellim@xxxxxxxxx; php-general@xxxxxxxxxxxxx > Subject: Re: Single Quotes in Form Inputs > > Michael A. Peters wrote: > > Bastien Koert wrote: > >> On Mon, Jul 27, 2009 at 12:41 PM, Mari Masuda<mbmasuda@xxxxxxxxxxxx> > >> wrote: > >>> You need to sanitize and escape the input before inserting it into > >>> the db. > >>> You can use http://us.php.net/mysql_real_escape_string to escape the > >>> input. > >>> > >>> On Jul 27, 2009, at 09:35, Ben Miller wrote: > >>> > >>>> Hi, > >>>> > >>>> > >>>> > >>>> I have a form in which my sales reps can add new clients into the > >>>> database, > >>>> but I'm running into a problem if the client's name includes a single > >>>> quote, > >>>> such as O'Henry, when it comes time to input the form data into the > >>>> database > >>>> table. I'm guessing I need to use ereg_replace, or something > >>>> similar, to > >>>> change the single quote, but I still can't seem to get the syntax > >>>> right. > >>>> Any help would be appreciated. For what it's worth, here is a > >>>> shortened > >>>> version of what I have: > >>>> > >>>> > >>>> > >>>> $ firstName = "$_POST[form_firstName]"; > >>>> > >>>> $ lastname = "$_POST[form_lastName]"; > >>>> > >>>> > >>>> > >>>> $query = mysql_query("INSERT INTO customers (`cust_first`,`cust_last`) > >>>> VALUES ('$firstName','$lastName')"); > >>>> > >>>> > >>>> > >>>> Ben Miller > >>>> > >>>> > >>>> > >>> > >>> -- > >>> PHP General Mailing List (http://www.php.net/) > >>> To unsubscribe, visit: http://www.php.net/unsub.php > >>> > >>> > >> > >> I like to use http://ca3.php.net/manual/en/function.htmlentities.php > >> > > > > htmlentities should not be used on the data before it goes into the > > database. If used it should be used on data coming out of the database. > > > > To summarize: > > You should prep your data for insertion into the data by using a tool > that formats it strictly for the database. In the ops case > mysql_real_escape_string() is the correct tool for the job. > > htmlentities() is a presentation sanitizing/cleaning tool. But, it > should only be used for output to the browser, etc... Same thing with > htmlspecialchars() and all other related function. > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > _________________________________________________________________ Descubra todas as novidades do novo Internet Explorer 8 http://brasil.microsoft.com.br/IE8/mergulhe/?utm_source=MSN%3BHotmail&utm_medium=Tagline&utm_campaign=IE8
