PhP and '

[Goatman]

I am creating (or trying) a online database of goats info. The problem I have is that some of the animal names contain ' While name with the ' is displayed fine, when I try to insert the record into the table(mysql), the querry fails.  If I work directly with mysql, I can add a record with a ' as part of value for a field.

What am I missing?

Thanks
Dave

[Nhoj]

Try editing your query to use STR_REPLACE to insert a backslash before the '

[code]
str_replace("'", "\'", $_POST['GOATINFO']);
[/code]
Obviously change the $_POST value to the actual form value.

Edit, if that doesn't work, use

[code]addslashes($_POST['GOATINFO']);[/code]

[SharkBait]

Can use [code=php:0] mysql_escape_real_string() [/code] or for those running older than PHP  4.3.*?? [code=php:0]mysql_escape_string()[/code]

I've been switching to that instead of using str_replace() so that I can catch other odd escape characters in mysql queries.

[Goatman]

Thanks for both of your suggestions. I will try them all and see how they work and learn. :D

[radalin]

Well try something like MDB2. Use it's escape,prepare and execute methods. It will do all the required changes for you. And you won't need to worry for injection attacks.

By the way do never use str_replace() function to protect your code from sql injection. As instead of putting an single quote they can also try to add it's unicode equivalent where the str_replace will miss (as I remember) but mysql wont. Also there are some other special characters for the sql syntax like # which mutes your code. To protect from them use mysql_real_escape_string or something like mysqli if you use php 5 or higher