I want to escape ' and ". I can't figure out how to do this. I read up on PHP.net and couldn't figure it out. I guess the easiest way is to just add a \ to them, but how to do that? BTW this is to stop some innocent SQL injection on my site.
You can use the function addslashes() to escape all of the " and ' characters. You will then need to use stripslashes if you want to remove them later.
mysql_real_escape_string is a safer way to escape strings if we talk about SQL injection protection. See The addslashes() Versus mysql_real_escape_string() Debate.
The proper way to prevent SQL injection is to use parameterised queries, supported by libraries such as PDO and PEAR::MDB2. That way you don't have to muck around escaping anything.
Use this: <?php $value = stripslashes($value); // to strip the slash. $value = mysql_real_escape_string($value); // to add slash. ?> You might also want to check your "magic" settings. Using this way of adding slash will "double" slash if "magic" is "ON". Bye
sorry, how do I use: $value = mysql_real_escape_string so I need to change $variable? I have $_POST['desc'] that needs to be stripped
You could use: $value = mysql_real_escape_string($_POST['desc']); //or $_POST['desc'] = mysql_real_escape_string($_POST['desc']); PHP:
I use and recommend this function: function sql_quote($value) { if(get_magic_quotes_gpc()) { $value = stripslashes($value); } // check if this function exists if(function_exists("mysql_real_escape_string")) { $value = mysql_real_escape_string($value); } // for PHP < 4.3.0 use addslashes else { $value = addslashes($value); } return $value; } PHP: So your code would be: $desc = sql_quote($_POST['desc']); PHP: Hope this helps.