PHP - Single Quotes Filtering

Question

i have some HTML code saved in a PHP string

$str = "<font size=2 color=#e0e0e0>you don't have a clue</font>";

i have to write this string to DB so the $str has to become part of the query..

now whatever my query... its working fine as long as there are no 'SINGLE QUOTES in the string....

any of the following two will solve my problem

• 1. some built-in method parse a PHP string and remove all the 'SINGLE QUOTES from it... i remember mention of such a function while going through SQL Injection.

     • How to allow 'SINGLE QUOTES submitted to DB via Query without altering Query i.e how to make this query work

     $str = "Don't";

     mysql_query("UPDATE content SET text='".$str."' WHERE p_ID='1');

NOTE:

• we can't have users to take care of it or follow a technique to have successfull ' submission
• the $str comes from user input... i am using WMD and PHP Markdown, so now you know where the problem is...

Answer 1

Use mysql_real_escape_string:

mysql_query("UPDATE content SET text='". mysql_real_escape_string($str)."' WHERE p_ID='1'");

Not escaping user inputs before submitting them to the database, is a security hole, it allows users to inject a tailored query chunk that will alter your original query, and execute along with it. It's not just to allow legitimate users to submit content that includes single quotations, but also to prevent evil users from sql-injecting our queries.

Answer 2

You should really think about using PDO and parameterized queries.