PHP and MySQL and apostrophes

Hey everyone,

This problem has been baffling me for a little bit now. It's to do with MySQL and apostrophes.

Currently I have:

<?php
include '../config.php';
mysql_connect("$host", "$user", "$pass") or die(mysql_error()); 
mysql_select_db("$dbname") or die(mysql_error());

$title = $_POST['title']; 
$news = $_POST['edited'];
$news = str_replace("<br>", "<br />", $news);
$date = date("D j M Y"); 

mysql_query("INSERT INTO news (title, contents, date) VALUES ('$title', '$news', '$date')") or die(mysql_error());
echo ("Done <a href='index.php'>Click Here</a> to go back to admin area")
?>

PHP:

and if any of the variables was to have an apostrophe (') then it generates an error on the query line.

Does anyone have any ideas how I can sort this out?

Thanks

 

For the problem you asked about you need to escape those characters:

http://us3.php.net/manual/en/function.mysql-real-escape-string.php


For the problem you didn't ask about, you need to validate your data:

http://www.google.com/search?q=data+validation

(never trust end users nor their data)

 

Try mysql_real_escape_string()
http://php.net/manual/en/function.mysql-real-escape-string.php

This should work for you.

 

thanks!

that works great!

thank you again

 

Do you use mysqli_real_escape_string to also prevent .php?id=3' from triggering an error?