[SOLVED] stripping the ' character after a POST

[jeff5656]

If a user puts in a ' character and submits (i..e "Smith's heart rate was 55") it gives me:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Select Staff' )' at line 3

 

How do I modify the code to strip this character?

Here's what I would need to modify:

$dx1 = $_POST['dx1'];

[ngreenwood6]

You should always filter any variables that go into the database with mysql_real_escape_string like this:

 

$dx1 = mysql_real_escape_string($_POST['dx1']);

[jeff5656]

Thanks that solves it.  Can I please ask though how would you do it for this (I am bad with figuring out quotation mark placement and this is inside sql="SELECT FROM ...etc"

 

dx1 = '" . $_POST['dx1'] . "',
dx2 = '" . $_POST['dx2'] . "',
dx3 = '" . $_POST['dx3'] . "',
etc.

[dennismonsewicz]

i would also look into error checking with PHP cause you don't just want to select something out of a DB without checking the $_POST vars

[ngreenwood6]

I am not sure that I understand what you are trying to ask?

[premiso]

$string = "dx1 = '" . mysql_real_escape_string($_POST['dx1']) . "', dx2 = '" . mysql_real_escape_string($_POST['dx2']) . "', dx3 = '" . mysql_real_escape_string($_POST['dx3']) . "'";

 

That is how you would formulate if I gathered your question right.

[jeff5656]

Thanks that works!