well, i just learned in here from TwistMyArm a good way to insert it would be with mysql_real_escape_string i think extracting it should be fine, don't quote me on it
When inserting quotes into mysql you need to quote them first. The easiest way is to use a function like mysql_real_escape_string as Lordy suggested. Another thing you can use is a sanitization library like the built in filter functions in PHP5, or the sanitization library from OWASP. These libraries are much better then just pure quoting, since it handles alot of other security issues. For information on the built in PHP Filter library see: http://www.php.net/manual/en/ref.filter.php And http://phpro.org/tutorials/Filtering-Data-with-PHP.html For information on the OWASP Library see the tutorial here: http://www.phpbuilder.com/columns/ryan_mcgeehan20060627.php3 As far as extraction goes, once the data is inserted, it is in the normal unquoted format. So once you pull it, it's fine. Though depending on the circumstances you may also want to use something like html_special_chars on certain data (especially user insert data) just in case. This will change things like < > and quotes into their html equivalent.