ansaurus

Question

Quotes, PHP, MySQL

Answer 1

+4 A:

mysql_real_escape_string should do it. If you are using the mysqli extension, you can do it the same way. ( mysqli_real_escape_string )

Jacob Relkin 2010-01-08 15:01:34

This led me to the solution. I was using the following:if (get_magic_quotes_gpc()) {$value = stripslashes($value);}$return_value = "'" . str_replace("'", "''", $value) . "'";but i had to call stripslashes() before i even used this bit of code and that solved my problem... the Notes on the link you supplied helped. Thanks

Jenski 2010-01-08 16:08:38

Answer 2

+3 A:

Why, by using prepared statements, of course.

shylent 2010-01-08 15:02:36

Yes, PDO and prepared statements are the best way to go.

Arkh 2010-01-08 15:05:11

Thanks for sharing this, I'll give it a try in my next project

Jenski 2010-01-08 16:09:21

Sure, enjoy the SQL injections in the meantime :)

shylent 2010-01-08 16:18:04

Answer 3

+1 A:

Like this:

Children\\\'\'s Toy

But you really should be relying on something built into PHP like mysql_reql_escape_string() or better yet, parameterize queries using PDO.

Here's my test of the above:

mysql> select 'Children\\\'\'s Toy' as escapedString;
+------------------+
| escapedString    |
+------------------+
| Children\''s Toy |
+------------------+
1 row in set (0.49 sec)

Asaph 2010-01-08 15:03:31

ansaurus

tags:

views:

answers:

Quotes, PHP, MySQL

related questions