You need to sanitize and escape the input before inserting it into the db. You can use to escape the input.

On Jul 27, 2009, at 09:35, Ben Miller wrote:


I have a form in which my sales reps can add new clients into the database, but I'm running into a problem if the client's name includes a single quote, such as O'Henry, when it comes time to input the form data into the database table. I'm guessing I need to use ereg_replace, or something similar, to change the single quote, but I still can't seem to get the syntax right. Any help would be appreciated. For what it's worth, here is a shortened
version of what I have:

$ firstName = "$_POST[form_firstName]";

$ lastname = "$_POST[form_lastName]";

$query = mysql_query("INSERT INTO customers (`cust_first`,`cust_last`)
VALUES ('$firstName','$lastName')");

Ben Miller

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to