[RESOLVED] Posting text into a db with a ; in it

StevenJ

I have forms which post text into a MySQL db, no problem there.

But, if a use enters a " ; " (semi-colon) then when a page is viewed which contains the text, then I geta mysql error.........

details

to insert the text into the db

$insertSQL = sprintf("INSERT INTO es_img_gallery (gallery, description, type) VALUES (%s, %s, %s)",
                    GetSQLValueString(htmlspecialchars($_POST['galleryName']), "text"),
GetSQLValueString(htmlspecialchars($_POST['description']), "text"),
GetSQLValueString($_POST['type'], "text") );

and to read the text from the db

$type is set internally and in this case = "gallery"

$display_galleries = sprintf("SELECT * FROM es_img_gallery WHERE type = '%s' ORDER BY id DESC", $type);
$get_galleries = mysql_query($display_galleries, $db_conn) or die(mysql_error());
$row_get_galleries = mysql_fetch_assoc($get_galleries);
$totalRows_get_galleries = mysql_num_rows($get_galleries);

and

echo htmlspecialchars($row_get_galleries['gallery'])

Now I entered the text

Another ';sdasd ''fd;s'

in to the form (I know it's mince, but a user might just do that)

and on the viewing page I get the following MySQL Error

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ';sdasd ''fd;s''' at line 1

What am I doing wrong?

I know it's entered ok becuase I can view the contecnts with phpMyAdmin...

thanks V much...

dagon

mysql_real_escape_string()

StevenJ

dagon wrote:
mysql_real_escape_string()

thank you very much. A function which I think I should have known about, but didn't, and should read more about!