[SOLVED] Can't use special characters.

[erfg1]

I made a bug report script so people can report them, and an administrator could read them, and edit them.

 

However, if someone reported something and put a special character like ' when i would go to edit and re-submit, it would say that its a syntax error. I've fixed this in my previous scripts however, i lost them, and can't recall how to do it. Basically I want to UPDATE.

 

Basically editing another field, but not their original report containing a ' and wanting to re-submit without editing their report.

 

$sql5 = "UPDATE cm_bugreport SET version = '$version', name = '$name_edit', bug = '$bug', status = '$status', comments = '$comments' WHERE id = '$id'";
		$db->sql_query($sql5);

[redarrow]

stripslashes();

[per1os]

You don't want to use stripslashes, bad habit.

 

Use mysql_real_escape_string($val) on all of your variable before you input them into the $sql, this will prevent SQL Injection and escape anything that will cause a mysql_Error.

[erfg1]

Is this right?

 

$sql5 = "UPDATE cm_bugreport SET version = '". mysql_real_escape_string($version) .", name = '$name_edit', bug = '$bug', status = '$status', comments = '$comments' WHERE id = '$id'";

 

Cause im still getting errors back.

 

EDIT: nvm, this is how it should be.

$sql5 = "UPDATE cm_bugreport SET version = '". mysql_real_escape_string("$version") ."', name = '$name_edit', bug = '$bug', status = '$status', comments = '$comments' WHERE id = '$id'";