Copying with quotes

Jon12345

I have a data entry form that stores data into a mysql database. The problem I have is if someone enters a quote (' or ") into the field, it breaks my code.

mysql_query("insert into tasks(item,priority,status,accountable,review,notes,creator) values('$item', '$priority', '$status1', '$accountable', '$review','$notes','$user')");

How are you supposed to deal with quotes? Is there a best practice method?

Thanks,

Jon

cahva

Use mysql_real_escape_string()

bradgrafelman

You should NEVER be putting data taken from $POST/$GET variables directly into a SQL query... you're leaving yourself vulnerable to SQL injection attacks.