Menu
When I try to instert a string that contains a quote mark, the INSERT query fails. How can I insert strings with single or double quotes?
for example:
$message = "Bob said 'don't forget to call me'";
mysql_query("INSERT INTO someTable (messages) VALUES ('$message')");
I figure the input needs to be filtered but which function should I use for that?
896
See: mysql_real_escape_string
You should ALWAYS be escaping things anything provided by the user before they go it goes into the database to prevent SQL injection in any case.
154
$message = mysql_real_escape_string($message);
this function should be applied to every variable you are going to insert into query in quote marks. No exceptions.
It is not really protection from sсaring injection but just a syntax rule.
Though you will need a real protection too. I've explained that in detail in recent answer: In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?
42
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
