You can use http://us.php.net/mysql_real_escape_string to escape the input.
[8<]
You should prep your data for insertion into the data by using a tool that formats it strictly for the database. In the ops case mysql_real_escape_string() is the correct tool for the job.
What about using prepared statements? This is my preferred method of "escaping output" when I'm using variables in a database query. Of course the ease and convenience of this method will depend to a great extent on what version of PHP is available on the server.
For the OP, have you read up much on SQL injection? If not, here's a decent place to start: http://www.owasp.org/index.php/SQL_injection
Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
