MySQL chars in string messing up query

[rasmuspalm]

Evening lovely php people.

Take a look at this code snippet:

$query = "SELECT AES_ENCRYPT('$plaintext','$key_string')";
$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_array($result)){
$encrypted_string = $row[0];
}

$query2 = "SELECT AES_DECRYPT('$encrypted_string','$key_string')";
$result2 = mysql_query($query2) or die(mysql_error());

My problem is that ' and " in $plaintext, $key_string and especially $encrypted_string, will mess up my sql query. $encrypted_string can contain every possible character, and will frequently do so, since it's encrypted and all. Problem is i can't use something like htmlspecialchars() since that will alter the $encrypted_string and break the decryption process. I need a function something like: donotreadasmysql()  ;D
Any ideas?
Help will be rewarded with cookies :)

[dbo]

You should ALWAYS filter and escape input before sending it to the database.

http://us2.php.net/manual/en/function.mysql-real-escape-string.php

[rasmuspalm]

Yes..?

[dbo]

You're a damn ingrate. I'm done replying to your posts, call the function I just pasted you a link for. Stop looking for handouts.

[rasmuspalm]

Edit: just.. forget it..

[dbo]

It's really pretty simple. Use the link I gave you and this:

http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html#function_aes_encrypt

if you can't figure it out from that I don't knwo what to tell you.

You escape it before you send it to be encrypted it, it encrypts it and puts it in the database, when you get it out of the database you then unescape it.

[Kairu]

Hey hey hey! No need to be rude! Perhaps they truly don't understand? It may not be my responsibility to say this, but I saw nothing in the prior posts that warranted such rude behavior!

Perhaps a code snipit or example? That may help.

[dbo]

He was rude in a post on another thread as well. I don't put up with that in real life, won't do it on a forum.