hi,

i am writing a program to send data to a php file to update a db in mysql. it seems that all my data works (even double quotes) but the single quotes do not work because my query looks like this:

=> update... set something = '$text'

now, because $text is surrounded by single quotes, i think the single quote in the data passed to $text conflicts with the ending single quote in the query. so i tried to

=> ereg_replace("'", "\'", $text)

but this make every single quote as \' (i.e., it inserts two back slashes instead of one!))

i checked the php.net help and there are two functions (htmlspecialchars as well as htmlentities) but none of them is working!

please please help! what can i do now? what do you people do for inserting the data so that _lesser than sign, greater than sign, double quote, single quote, ampersand_ can be inserted as well retrieved correctly? i think for the display side, htmlspecialchars() might work, but not for inserting or updating.

pls pls help! i am using PEAR db abstraction layer.

thanks!!

    As per ANSI SQL standard, single quotes (') are escaped by two single quotes ('').

    e.g.: To insert "Tom's Wheels", use:

    insert into tbl values ('Tom''s Wheels')

    Some databases use a proprietary extension of escaping the quote with a backslash. If you feel like using this, look at addslashes().

      Thanks a lot replying Gerald. But neither of the following is working:

      => str_replace?("'", "''", $text) // replace with two single quotes

      or

      => addslashes($text)

      because addslashes even escapes the double quote, which i dont want! 🙁
      i only want the single quotes esscaped!

      pls help! i use mysql ...thanks

        try it like this:

        $query = "INSERT INTO table (field) values (\"".addslashes($string)."\")";

          Thanks vincent, but it doesnt work either! I checked my PHP.INI file for the "magic quotes" and they seem to be on. Could that be it?

          I would really appreciate what's going on. I use PHP4.0.4

          Thanks!

            just insert it without don't anything with the slashes, and then when you want to view it:

            $text = htmlspecialchars(stripslashes($text));

            then show it. all problems fixed.

              Write a Reply...