> Hi,
> I have a form in which my sales reps can add new clients into the database,
> but I'm running into a problem if the client's name includes a single quote,
> such as O'Henry, when it comes time to input the form data into the database
> table.  I'm guessing I need to use ereg_replace, or something similar, to
> change the single quote, but I still can't seem to get the syntax right.
> Any help would be appreciated.  For what it's worth, here is a shortened
> version of what I have:

You shouldn't be trusting form data.  Single quotes can also be used to
add SQL injection.

Replace these two lines:

> $ firstName = "$_POST[form_firstName]";
> $ lastname = "$_POST[form_lastName]";


$ firstName = mysql_real_escape_string($_POST['form_firstName'], $conn);
$ lastname = mysql_real_escape_string($_POST['form_lastName'], $conn);

Where $conn is your connection resource. Note also I've quoted the key
names, as they should be unless they are valid constants.
 This will escape any newlines, apostrophes (single quotes), etc. and is
the absolute minimum you should be doing with any data you do not supply

> $query = mysql_query("INSERT INTO customers (`cust_first`,`cust_last`)
> VALUES ('$firstName','$lastName')");
> Ben Miller

BTW ereg functions are deprecated in PHP 5.3, so now would be a good
time to start using the PCRE equivalents.

Niel Archer
niel.archer (at) blueyonder.co.uk

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to