' Character wont allow me to write record to database

[agentm]

Not sure where to post this question. I have a MySQL database and add records with a PHP form to the tables.

 

I have 2 fields (char) in one table. When the fields contain the character '  it wont write the record to the table! For example...if I enter. " John's house" it wont accept the record since ' appears in John's name!

 

How do I work around this?

 

Thanks

[kenrbnsn]

Use the function mysql_real_escape_string on any string data that will be used with a MySQL query.

 

Ken

[agentm]

Thanks for the quick response! Im not sure where to put the code. Here is my code.

$text and $newsbox will need to be modified.

 

 

      $text = $_POST['subject'];

      $newsbox = $_POST['newsbox'];

      $sql = "INSERT INTO newslines (Subject, Newsline, Date) VALUES ('$text', '$newsbox', '$Date')"; 

[kenrbnsn]

Did you read the manual page I posted? msql_real_escape_string

 

With your code, you are not protected against malicious people...

<?php
      $text = $_POST['subject'];
      $newsbox = $_POST['newsbox'];
      $sql = "INSERT INTO newslines (Subject, Newsline, Date) VALUES ('$text', '$newsbox', '$Date')"; 
?>

 

Do this:

<?php
      $text = mysql_real_escape_string($_POST['subject']);
      $newsbox = mysql_real_escape_string($_POST['newsbox']);
      $sql = "INSERT INTO newslines (Subject, Newsline, Date) VALUES ('$text', '$newsbox', '$Date')";
?>

 

Where is the variable $Date being set?

 

Ken

[agentm]

thank you - I did read the manual and looked at the example. Somehow it gave me errors.

But it is working now. I am not sure why you say the code is not protected. Sorry - new to this - and much to learn!

 

thanks anyway!

[Adam]

I am not sure why you say the code is not protected.

 

SQL injection.