Inserting into database in correct format

[dc_jt]

Hi I am using php and I am looking at the best way to insert into a database and then echo out again in the correct format. I.e Im particularly talking about when adding apostrophes etc. I am also not using magic quotes (as I believe this will be discontinued in PHP6 and my current server has it disabled. I know I can enable it but Im trying to think ahead). Do I remove slashes, add slashes or something else? Ideally I would like to be able to simply echo out the result like <?=$aResult['description']?> without having to add any formatting everytime I echo out.

 

Therefore if I entered "Test test's "test"" for example into a field, what should I do to this before I insert it into the database in order to get the correct format when I output it?

 

Hope that makes sense.

 

Thanks

[Daniel0]

It depends on what DBMS you are using. There is the mysql_real_escape_string function for MySQL. The MySQLi and PDO extensions support something called prepared statements, which I personally prefer.

[dc_jt]

It depends on what DBMS you are using. There is the mysql_real_escape_string function for MySQL. The MySQLi and PDO extensions support something called prepared statements, which I personally prefer.

 

Thanks for the reply, I am using PhpMyAdmin. So I would basically do the following before inserting into the database?

 

$_POST = mysql_real_escape_string($_POST)

 

Also, I am using TinyMCE on some fields, does this make any difference or not?

[Daniel0]

phpMyAdmin is irrelevant. This does however tell that your DBMS (database management system) is MySQL. If you're using the mysql extension then you need to use mysql_real_escape_string. Take a look at the examples in the manual. You'll have to use it for all values you are going to use in a query to the database.

[dc_jt]

Sorry yes I am using MySQL.

 

Thanks for your help.