Jump to content

handle single quotes in select statement


php_begins

Recommended Posts

maybe, but that has nothing to do with using mysql_real_escape_string().

 

The function mysql_real_escape_string() will simply escape input to make it safe for a DB query. But, the stored value is not the escaped value. So if you have the value "O'Reilly" and want to insert it into the database. mysql_real_escape_string() will convert that to "O\'Reilly". But, the "\" just tells the MySQL engine to treat the apostrophe as a literal value and not a delimiter - so the DB treats it as the string "O'Reilly" and that is what would be stored in the database.

 

Now, when you go to display that in an HTML page you will execute a query and get the value, which will be "O'Reilly". But, depending on how you plan to use the value you may need to do a transformation. For example, if you plan to use the value to populate a text inut field you will need to run it though htlmspecialcharacters() or htmlentities() - otherwise it could corrupt your HTML code

 

This would not be good:

<input type='text' name='last_name' value='O'Reilly'>

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.