following problem:
function store_some_crap($subj = "", $body = "") {
if ($body) {
if (@mysql_query("INSERT INTO msg
(subj, body)
VALUES ('" . $subj . "', '" . $body . "');") or
die ("<B>Error</B>")) {
return TRUE;
}
else {
return FALSE;
}
}
else {
return FALSE;
}
}
when i try inserting data (fromuser form) in the database by calling the function above i run into the problem that the input of a ' will cause a mySql error.
using this query:
//...
INSERT INTO msg
(subj, body)
VALUES (\"" . $subj . "\", \"" . $body . "\");
//...
(the parser swallowed the first escaped ")
resolves this problem BUT causes the same behavior with " s.
none of these problems exist when i insert the values straight from the input fields without passing it on to the function. i figured thats an encoding problem and wondered if anyone out there knows how to resolve this crap. ive run into this before, yet this time i really cannot work around it.
what i am doing right now is
//...
INSERT INTO msg
(subj, body)
VALUES ('" . str_replace("'", "`", $subj) . "', '" . str_replace("'", "`", $body) . "');
//...
but this is just a really crappy solution... so...
as usual - happy about any suggestions i hope y'all have a bit of vacation time..
rock on - sid
