php apostrophe help

[NathanS]

Hi there,

 

I'm having issues where people are inserting last names such as "O'Connor" and it's not writing to the database correctly:

 

$sql = "INSERT INTO customerav (TITLE, LNAME, PCODE) VALUES ('".$_POST["TITLE"]."', '.$_POST["LNAME"]."', '".$_POST["PCODE"]."')";

 

How would I best go about removing the apostrophe?

 

Cheers.

[uniflare]

this is known as mysql injection...

 

wrap all your $_POST[] variables in mysql_escape_string()

 

eg:

 

$sql = "INSERT INTO customerav (TITLE, LNAME, PCODE) VALUES ('".mysql_escape_string($_POST["TITLE"])."', '.mysql_escape_string($_POST["LNAME"])."', '".mysql_escape_string($_POST["PCODE"])."')";

 

-- make sure you are connected to the db before using any mysql_escape_string functions

[NathanS]

'".mysql_escape_string($_POST["LNAME"])."

 

Many thanks for your quick reply! Using the above writes, however it still writes O\\\ to the database, as opposed to O'Connor - any ideas?

 

Thanks again!

[trq]

Would seem you have magic_quotes_gpc enabled. You will also need to use strip_slashes on your data prior to mysql-real_escape_string().

[NathanS]

I see Excuse my utter ignorance, but in what format would I need to be using stripslashes prior to mysql_real_escape_string() ? Sorry, very new still!

[NathanS]

I turned magic_quotes off, yet it still does the same thing..  ???

[uniflare]

Echo the query variable usit exit(); immediately before the mysql_query call, once without the mysql_escape_string and one with,

 

tell us the output of these two results