special characters in SQL query

Anon

hi all,
i get an error when i try to pass a variable that contains a special character in a SQL string. The special character is a "'". How can i resolve this problem? I tried with AddSlashes function but it doesn't work.
Really thanks

Dario

Anon

show us how you build your query, maybe you are doing something wrong with the addslashes command.

Anon

$variabile=$HTTP_GET_VARS["variabile"];
$variabile=addslashes($variabile);

$strsql="INSERT INTO richieste
(IDrif, RifArticoli, Q, idtabella, OP_OK, datascrittura, IDRICHIESTA )
SELECT Shop.IDrif, Shop.RifArticoli, Shop.Q, Shop.idtabella, Shop.OP_OK, Shop.datascrittura, ";
$strsql=$strsql . " '".$variabile."' AS IDRICHIESTA FROM Shop WHERE (((Shop.IDrif)=1";

Vincent wrote:

show us how you build your query, maybe you are doing something wrong with the addslashes command.

Anon

In PHP, variables are expanded insite double quotes.

If you have this:

$field="my_field";
$sql_statement="SELECT $field FROM table";

then $sql_statement will contain: "SELECT my field FROM table"

You could use this:
$strsql .= "$variabile AS IDRICHIESTA FROM Shop WHERE (((Shop.IDrif)=1";

If you want to use the content of the variable as real a string in the query, use the escaped-quote to put quotes around the vontent of the variable, like this:

$sql_statement="SELECT \"$field\" FROM table";

which gives: "SELECT "my_field" FROM table"

You are also missing quote a few )'s at the end of your statement.

Another tip: use error checking on your sql commands. It will tell you allmost exactly what is wron with your statement.
if (!($result=mysql_query(bla)))
{
print $sql_statement;
print mysql_errno().": ".mysql_error()."<BR>";
}
else
{

process the results

};