you need to use
mysql_escape_string
To clean your POST variable for use in the MySQL Query
matthewh
2010-09-30 23:27:28
+1
A:
This function has been deprecated.
webbiedave
2010-09-30 23:35:12
Thanks - I clearly haven't used PHP in a while! :)
matthewh
2010-10-01 00:00:59
+1
A:
You can clean up text that you are inserting into the database with the mysql_real_escape_string() function. This adds backslashes in front of the characters that can cause problems, such as the single quote.
$sql="UPDATE works SET client='".mysql_real_escape_string($_POST["client"])."', description='".mysql_real_escape_string($_POST["description"])."', text='".mysql_real_escape_string($_POST["text"])."', image='".mysql_real_escape_string($_FILES["attels"]["name"])."' WHERE id=".sprintf("%d", $_GET['id'])."";
Ideally you should also use sprintf() to guard against SQL injection.
Gus
2010-09-30 23:27:58