What is the best way to handle '(single quote) & "(double quote) insert & extract in mysql with php

well, i just learned in here (http://forums.digitalpoint.com/showthread.php?t=514477) from TwistMyArm

a good way to insert it would be with mysql_real_escape_string
i think extracting it should be fine, don't quote me on it :o

When inserting quotes into mysql you need to quote them first. The easiest way is to use a function like mysql_real_escape_string as Lordy suggested. Another thing you can use is a sanitization library like the built in filter functions in PHP5, or the sanitization library from OWASP. These libraries are much better then just pure quoting, since it handles alot of other security issues.

For information on the built in PHP Filter library see:

http://www.php.net/manual/en/ref.filter.php

And

http://phpro.org/tutorials/Filtering-Data-with-PHP.html

For information on the OWASP Library see the tutorial here:

http://www.phpbuilder.com/columns/ryan_mcgeehan20060627.php3


As far as extraction goes, once the data is inserted, it is in the normal unquoted format. So once you pull it, it's fine. Though depending on the circumstances you may also want to use something like html_special_chars on certain data (especially user insert data) just in case. This will change things like < > and quotes into their html equivalent.