sprintf() removing my ' what is a better method?

[mneil]

I've been getting better and better with php and mysql. But, I've got a question here I'm hoping has a fairly simple answer for. I've become accustomed to using sprintf with all mysql queries. So now I'm doing this:

 

$sql = sprintf("UPDATE project SET title='%s', information='%s', notes='%s', assigned_to='%s', help='%s' WHERE id='$id'", $title, $info, $notes, $to, $help);

 

However, in the info and notes variables there may likely be apostrophes or quotes that I need to maintain. I've tracked down sprintf to being the culprit that not only tries to strip them but causes my update to fail entirely. So, does anyone have an answer to my newbie question? I tried to search the forums, I've been here a million times and read other threads that helped me. Finally I've signed up and will hopefully get some more use out of this place! Thank anyone who can help me out on this. I'm not stuck with using sprintf neither so any other php functions I don't know of are welcomed! Thanks again.

[rhodesa]

it's not sprintf's fault...you need to escape the data for mysql

$sql = sprintf(
  "UPDATE project SET title='%s', information='%s', notes='%s', assigned_to='%s', help='%s' WHERE id='%s'",
  mysql_real_escape_string($title),
  mysql_real_escape_string($info),
  mysql_real_escape_string($notes),
  mysql_real_escape_string($to),
  mysql_real_escape_string($help),
  mysql_real_escape_string($id)
);