Inserting a ' into the DB??

Napster

How can I insert a ' that is in a string variable into the database? I tried inserting it without doing anything to it, but I get mysql errors? Like for example, say my code was


$var = "Josh's variable";

mysql_query("INSERT INTO table SET fieldname1='$var', fieldname2='1'") or die(mysql_error());

The error would say that there is an error starting at

', fieldname2='1'") or die(mysql_error());

How can I fix this?

sturoy

Gotta have a backslash in the string before putting it into the DB:

$var = "Josh/'s variable";

There are some PHP functions that can do this for you... don't know what they are, but the one for taking them out is

stripslashes()

so you can find it in the manual from that... hope it helps!!

sturoy

here we go...

addslashes()

<?php
$str = "Is your name O'reilly?";

// Outputs: Is your name O\'reilly?
echo addslashes($str);
?>

Backslashes, as I said, not forward slashes as I typed...

Napster

Now how would I get the string from the database so that when I echo it, it appears as ' and not as \' ?

TruckStuff

For the love of all that is good, PLEASE learn how to use databases securely before attempting real applications. Trust me, if you don't do this now, you'll be posting back in a few weeks wondering how your server got hacked.

Most important rules when accepting input from users:

1) ALWAYS ALWAYS ALWAYS validate your input!! Use regular expressions to scrub the input. Watch out for cross-site scripting. Cast variables as the appropriate data types. NEVER accept user input without cleaning it first

2) ALWAYS use [man]stripslashes[/man] and [man]addslashes[/man]! Never input data into your database without cleaning out potentially dangerous characters. This is how SQL-Injection attacks happen. Also checkout [man]mysql_escape_string[/man].

Believe me, you will save your self tons of aggrevation in the long run if you learn how to use databases correctly now rather than later.

breckenridge

try this:

$var="Josh's variable";

mysql_query("INSERT_INTO_table (var) values ('$var')",$db);

chucklarge

[man]mysql_escape_string[/man] is just for this purpose

laserlight

Actually, you dont always have to escape quotes, since magic_quotes_gpc is on by default.
Also, doubling single quotes tend to be more common a method of escaping them than using backslashes.