--- carlos castillo <ccastillo@xxxxxxxxxxxxxx> wrote: > Hi , i have the following problem, i have a form where a user can input > any text, on that text may be a char is ' char(39) when i try to execute > the sql query, i have an error for that ', i need to replace it for the > html tag, for example " is " or by chr(39) i dont know, and then > execute the sql query. Yikes! Never use user input directly in your SQL statements. This is very dangerous. There are functions to help you escape your data. For example, if you are using MySQL, you can use this function: http://www.php.net/mysql_escape_string However, you should also validate your data before doing anything else. Make sure it is exactly what type of data you are expecting, then escape the string just prior to constructing your SQL statement. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming mid-2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
