> On Fri, 31 Jul 1998, Daniele Orlandi wrote:
> > Suppose I'm going to insert the content of a <TEXTAREA> in a
> > table. Obviously, there will be characters that could potentially
> > confuse the SQL statement. What (and how) do I need to escape the
> > data to make it acceptable for an Insert ? I currently use the
> > PHP's addlashed function, is it enought ?
>
> I'm not sure if PHP's addslashes command will take care of single
> quotes, I haven't tried it yet. I believe the proper escape for a
> single quote in SQL is to put another single quote in front of it.
> So if a person's last name is "O'Brien" it would be inserted as:
>
> INSERT INTO personel (fname,lname) VALUES ('Michael','O''Brien');
>
> So what I do is a Regular Expression Replace in PHP, like this:
>
> $lname = ereg_replace("'", "''", $lname);
But this does not handle backslashes in the string. I think the PHP
function does both.
--
Bruce Momjian | 830 Blythe Avenue
maillist@candle.pha.pa.us | Drexel Hill, Pennsylvania 19026
+ If your life is a hard drive, | (610) 353-9879(w)
+ Christ can be your backup. | (610) 853-3000(h)