How to strip quotes

I want to escape ' and ". I can't figure out how to do this.
I read up on PHP.net and couldn't figure it out.
I guess the easiest way is to just add a \ to them, but how to do that?
BTW this is to stop some innocent SQL injection on my site.

 

You can use the function addslashes() to escape all of the " and ' characters. You will then need to use stripslashes if you want to remove them later.

 

mysql_real_escape_string is a safer way to escape strings if we talk about SQL injection protection. See The addslashes() Versus mysql_real_escape_string() Debate.

 

The proper way to prevent SQL injection is to use parameterised queries, supported by libraries such as PDO and PEAR::MDB2. That way you don't have to muck around escaping anything.

 

Use this:
<?php
$value = stripslashes($value);
// to strip the slash.
$value = mysql_real_escape_string($value);
// to add slash.
?>

You might also want to check your "magic" settings. Using this way of adding slash will "double" slash if "magic" is "ON".

Bye

 

sorry, how do I use: $value = mysql_real_escape_string
so I need to change $variable?

I have $_POST['desc']
that needs to be stripped

 

You could use:

$value = mysql_real_escape_string($_POST['desc']);

//or 

$_POST['desc'] = mysql_real_escape_string($_POST['desc']);

PHP:

 

I use and recommend this function:

  function sql_quote($value)
  {
    if(get_magic_quotes_gpc())
    {
      $value = stripslashes($value);
    }
    // check if this function exists
    if(function_exists("mysql_real_escape_string"))
    {
      $value = mysql_real_escape_string($value);
    }
    // for PHP < 4.3.0 use addslashes
    else
    {
      $value = addslashes($value);
    }
    return $value;
  }

PHP:

So your code would be:

  $desc = sql_quote($_POST['desc']);

PHP:

Hope this helps.