You can also use addslashes
On Mon, Jul 27, 2009 at 11:46 PM, Niel Archer <not@xxxxxxxxxx> wrote:
> > Hi,
> >
> >
> >
> > I have a form in which my sales reps can add new clients into the
> database,
> > but I'm running into a problem if the client's name includes a single
> quote,
> > such as O'Henry, when it comes time to input the form data into the
> database
> > table. I'm guessing I need to use ereg_replace, or something similar, to
> > change the single quote, but I still can't seem to get the syntax right.
> > Any help would be appreciated. For what it's worth, here is a shortened
> > version of what I have:
>
> You shouldn't be trusting form data. Single quotes can also be used to
> add SQL injection.
>
> Replace these two lines:
>
> > $ firstName = "$_POST[form_firstName]";
> > $ lastname = "$_POST[form_lastName]";
>
> with:
>
> $ firstName = mysql_real_escape_string($_POST['form_firstName'], $conn);
> $ lastname = mysql_real_escape_string($_POST['form_lastName'], $conn);
>
> Where $conn is your connection resource. Note also I've quoted the key
> names, as they should be unless they are valid constants.
> This will escape any newlines, apostrophes (single quotes), etc. and is
> the absolute minimum you should be doing with any data you do not supply
> yourself
>
> > $query = mysql_query("INSERT INTO customers (`cust_first`,`cust_last`)
> > VALUES ('$firstName','$lastName')");
> >
> >
> >
> > Ben Miller
>
> BTW ereg functions are deprecated in PHP 5.3, so now would be a good
> time to start using the PCRE equivalents.
>
>
> --
> Niel Archer
> niel.archer (at) blueyonder.co.uk
>
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Regards
MANU
