problem inserting $_SESSION data that contains a '

[jason310771]

without having to create a new variable for each of the SESSION variables how should I change the following example to securly insert data?

 

the $requestID and $datetime_added were already made safe using mysql_real_escape_string, it is the session data that I am not sure about.

$addRequest = mysql_query("INSERT INTO requests (`request_id`, `datetime_added`, `customer_name`, `customer_email`) VALUES ('$requestID', '$datetime_added', '{$_SESSION['customerName']}', '{$_SESSION['customerEmail']}')");

 

just tried to use a foreach on each SESSION variable but this causes problems with other session variables not to used in the storing of data in mysql and there are to many to filter out, and to many session variable to create a new variable ($variablename) for each.

[Pikachu2000]

All string data needs to be escaped with mysql_real_escape_string() before being used in a query string, regardless of whether it comes from a form, cookie, session, etc.

[jason310771]

could i just do this...

 

$addRequest = mysql_query("INSERT INTO requests (`request_id`, `datetime_added`, `customer_name`, `customer_email`) VALUES ('".mysql_real_escape_string($requestID)."', '".mysql_real_escape_string($datetime_added)."', '".mysql_real_escape_string($_SESSION['customerName'])."', '".mysql_real_escape_string($_SESSION['customerEmail'])."')");

 

or do the $_SESSION['customerName']

need to have the { }

[Pikachu2000]

What happened when you tried it?

[jason310771]

i would not know, i have only just been told that some data was inserted at all and I had the data emailed to me prior to it being inserted and found that one of the fields filled in had the dreaded '  so check the code and found the guy who coded it had not escaped anything.  why does the line have the { } , can i lose these and just use mysql_real_escape_string($_SESSION['customerName'])  or will the session not work ?