I've been entering membership data into my database and just discovered that anybody with an apostrophe in their name didn't get entered. I also discovered that using ascii input would work fine but I can't expect others to know that. So I did a little googling and found that mysql_real_escape_string should fix this issue. Right? (If not, then the rest of this post won't matter)
Well I was already using mysql_real_escape_string on my updating page but the page I use to add new data isn't written the same way and I can't figure out the correct way to add the mysql_real_escape_string code.
Here's how I'm using mysql_real_escape_string successfully on a page where I can update existing users:
if($_POST){
$sql = "UPDATE brotherhood SET
firstname='".mysql_real_escape_string($_POST['firstname'])."',
lastname='".mysql_real_escape_string($_POST['lastname'])."',
phone='".mysql_real_escape_string($_POST['phone'])."',
email='".mysql_real_escape_string($_POST['email'])."',
share='".mysql_real_escape_string($_POST['share'])."'
WHERE wp_user='$current_user->user_login'";
mysql_query($sql) or die(mysql_error());
But the code I use to add new users doesn't look the same and I can't figure out how to properly add the mysql_real_escape_string:
$sql = "INSERT INTO brotherhood (firstname,
lastname,
phone,
email,
share)
VALUES ('$firstname',
'$lastname',
'$phone',
'$email',
'$share')";
$result = mysql_query($sql);
How do I add mysql_real_escape_string to the 2nd example? (And will that fix the problem with apostrophes in the first place?)