Speech marks problem

bailo81

I have been using this code to save data into my database:

 
<?php 
include ("dbconnector.php"); 
$type = stripslashes ($_SESSION['type']); 
$title = stripslashes ($_SESSION['title']); 
$artist = stripslashes ($_SESSION['artist']); 
$description = stripslashes ($_SESSION['description']); 
$table = stripslashes ($_SESSION['table']); 

$db_sql_query    ="INSERT INTO   $table  (item_type, 
                                         item_name, 
                                         item_artist, 
                                         item_description) 

                              VALUES  ($type, 
                                     $title, 
                                     $artist, 
                                     $description)"; 
//the code below checks that the information has been passed to the database, if it hasnt then a mysql error will be displayed 
$db_result = @mysql_query($db_sql_query, $db_connection) or die("Error #". mysql_errno() . ": " . mysql_error()); 
//if it has the include below will display 
echo "the item has been saved <a href=\"new_item.php\">add another</a> "; 
?>

and this works fine unless there are speech marks and it then kicks up the following error:

Error #1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'BOOMA-ABOOMA-ABOOMA-ABOOM"!, the drums kick in'

I'm not sure what the problem is
please help!! 😕

laserlight

Why do you use stripslashes() on the session data?

bailo81

i was told to do this as if the data had speech marks in it when it echoed it back to screen it put backslashes in front of them

laserlight

If magic_quotes_gpc is set to 1 in php.ini, then incoming data would be escaped with backslashes.
MySQL also uses backslashes for escaping special characters, so this is a Good Thing when MySQL is involved.

As such, if the data was escaped prior to be stored in the session, you need to use addslashes() or mysql_escape_string() instead.
When retrieving escaped data from the database, you dont need to use stripslashes() because the data has already been escaped.

stripslashes() comes in handy when printing escaped characters from incoming data when magic_quotes_gpc is 1.