[Resolved] Escaping Double Quotes in SQL

microbluechip

Hi all,

I have the following PHP command that issues an UPDATE SQL command. the function db_query is simply a wrapper to the mysql_query function and handles errors.

db_query("UPDATE categories SET code = '".addslashes($code)."', description = '".addslashes($description)."' WHERE categoryid = ".$cat);

The problem here is that when the variables $code or $description contain a double quote (") it causes a error even though it has been escaped by a backslash using the addslashes command. All other punctuation like commas and single quotes are not affected.

I can not seem to find the obvious solution here if there is one. The same result happens if I use mysql_escape_string to mirror the functionality of addslashes. btw, I have no control of the magic_quotes_gpc setting in php.ini

Any help or guidance will be greatly appreciated.

dopey

Hi,

Can you echo out the query in full, so it's easy to see what is being executed?

calua

hi,

try, instead of addslashes, mysql_escape_string.

Caluã

laserlight

You should avoid using backslashes to escape single quotes, unless you're sure you'll be using an RDMS that accepts that.

Rather, you should double the single quotes, i.e.
' -> ''
(Note: 2 single quotes, not 1 double quote)

You might have to set magic_quotes_gpc to off, or use stripslashes() first.