Jump to content


PhP and '

  • Please log in to reply
4 replies to this topic

#1 Goatman

  • New Members
  • Pip
  • Newbie
  • 3 posts

Posted 08 September 2006 - 01:45 AM

I am creating (or trying) a online database of goats info. The problem I have is that some of the animal names contain ' While name with the ' is displayed fine, when I try to insert the record into the table(mysql), the querry fails.  If I work directly with mysql, I can add a record with a ' as part of value for a field.

What am I missing?


#2 Nhoj

  • Members
  • PipPipPip
  • Advanced Member
  • 223 posts
  • LocationClearwater, FL

Posted 08 September 2006 - 01:49 AM

Try editing your query to use STR_REPLACE to insert a backslash before the '

str_replace("'", "\'", $_POST['GOATINFO']);
Obviously change the $_POST value to the actual form value.

Edit, if that doesn't work, use


Avid PHP Developer, need some work done? Send a PM ;)

#3 SharkBait

  • Members
  • PipPipPip
  • Advanced Member
  • 845 posts
  • LocationMetro Vancouver, BC

Posted 08 September 2006 - 03:04 AM

Can use
or for those running older than PHP  4.3.*??

I've been switching to that instead of using str_replace() so that I can catch other odd escape characters in mysql queries.

#4 Goatman

  • New Members
  • Pip
  • Newbie
  • 3 posts

Posted 09 September 2006 - 12:22 AM

Thanks for both of your suggestions. I will try them all and see how they work and learn. :D

#5 radalin

  • Members
  • PipPipPip
  • Advanced Member
  • 179 posts

Posted 09 September 2006 - 12:37 AM

Well try something like MDB2. Use it's escape,prepare and execute methods. It will do all the required changes for you. And you won't need to worry for injection attacks.

By the way do never use str_replace() function to protect your code from sql injection. As instead of putting an single quote they can also try to add it's unicode equivalent where the str_replace will miss (as I remember) but mysql wont. Also there are some other special characters for the sql syntax like # which mutes your code. To protect from them use mysql_real_escape_string or something like mysqli if you use php 5 or higher
Roy Simkes
Yet Another Parkyeri Developer

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users