Help with the single quote ' mark from php to MYsql

woocha

Hey guys... I need some help here. I built a form for my users to fill out, and while testing it out some people told me the they couldn't used the sinlge quote such as in the word "couldn't" When a user types in a single quote, I want the php script to take the single quote and pass it to the Mysql DB so that the correct information can be propperly displayed at a later date.
Does anyone have any ideas on how to do this without having my user type a back slash \ before each and every single quote mark ?

thanks guys

NogDog

[man]mysql_real_escape_string/man -- which you should be using in any case to prevent SQL injection attacks.

woocha

hey..thanks for the tip...I really appreciate. I'll check it out tonight and see how it works.

bradgrafelman

Just to stress the point even more...

You should never place user-supplied data (e.g. anything from $POST, $GET, $COOKIE, and even some items from $SERVER) directly into a SQL query! Instead, you should escape it with a function such as [man]mysql_real_escape_string/man or take other measures to ensure you're getting the data you're expecting (ex. casting $_GET['id'] to an integer when using it in a query).

Piranha

Just to stress the point even further...

If you use user-supplied data directly (and not as bradgrafelman suggests) it could give users access to data that they should not have, or even to change or delete your whole database.

laserlight

Since everyone is in a "Let's stress the point!" mood, you can take a look at the Sanitize your inputs! thread for comic relief concerning what can happen if you fail to do as has been stressed by NogDog, bradgrafelman and Piranha.