replacing single quotes with php before inserting into mysql?

gio50000

I'm replacing a single quote with the backward tick (`) symbol and inserting new records in MySQL with success. The owner has requested to see single quotes not the backward tick. How can I insert without using the str_replace method below? or does anyone have ideas where I can find sample code?

$sqlset = $sqlset . "Title";
$sqlset2 = $sqlset2 . "'" . str_replace("'", "`",$HTTP_POST_VARS["title"]) . "'";

steved

Replace each single quote with two single quotes

$new_string = str_replace("'","''",$your_string);

gio50000

$new_string = str_replace("'","''",$your_string);

$new_string = str_replace("double, single and double quotes, double, single, double qoutes, $your_string);

If so I tried this before without success. Does the code below look incorrect I have to have this format?

$sqlset2 = $sqlset2 . "'" . str_replace("'", "`",$HTTP_POST_VARS["title"]) . "'";

steved

Change your back tick to be two single quotes.

Then I'd print out the value of $sqlset2 just to see what you are getting. Not sure what should be there, but it should be a string with single quotes on the outside and then doubled up single quotes within.

gio50000

OK tried it and by typing in --> it's

the output was 'it\'s'

It's escaping somewhere below:
$sqlset2 = $sqlset2 . "'" . str_replace("'", "'",$HTTP_POST_VARS["title"]) . "'";

steved

Now you're replacing a single quote with a single quote. That's not going to help much.

$sqlset2 = $sqlset2 . "'" . str_replace("'", "'",$HTTP_POST_VARS["title"]) . "'";

Change it to:

$sqlset2 = $sqlset2 . "'" . str_replace("'", "''",$HTTP_POST_VARS["title"]) . "'";