Never trust the web... Esacping is bad practis. Doing it, is to ask for trouble when you try to port the code to another system that a) escapes in another way, or b) does not escape at all, the transparent way to handle quote are to quote them. This has been working for the last 40 to 50 years or so, and still works fine. Why not stay with a winner? -----Original Message----- From: Brent Baisley To: carlos castillo Cc: php-general@xxxxxxxxxxxxx; php-windows@xxxxxxxxxxxxx Sent: 2004-02-17 21:02 Subject: Re: [PHP] Replace of ' in a query Look at the addslashes command. You should always escape the values you are accepting from user input. If you read almost any article on web site security, it will mention something called SQL injection among other things. This is a way to compromise your data. For instance, what if a user entered: "1" OR "A"="A" Now what if you used that user input to filter a query. You may end up with: SELECT * FROM db WHERE field="1" OR "A"="A" Which would return every record in the database. On Feb 17, 2004, at 2:44 PM, carlos castillo wrote: > Hi , i have the following problem, i have a form where a user can input > any text, on that text may be a char is ' char(39) when i try to > execute > the sql query, i have an error for that ', i need to replace it for the > html tag, for example " is " or by chr(39) i dont know, and then > execute the sql query. > > i really appreciate your help, thanks. > -- Brent Baisley Systems Architect Landover Associates, Inc. Search & Advisory Services for Advanced Technology Environments p: 212.759.6400/800.759.0577 -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
