Bastien Koert wrote:
On Mon, Jul 27, 2009 at 12:41 PM, Mari Masuda<> wrote:
You need to sanitize and escape the input before inserting it into the db.
 You can use to escape the input.

On Jul 27, 2009, at 09:35, Ben Miller wrote:


I have a form in which my sales reps can add new clients into the
but I'm running into a problem if the client's name includes a single
such as O'Henry, when it comes time to input the form data into the
table.  I'm guessing I need to use ereg_replace, or something similar, to
change the single quote, but I still can't seem to get the syntax right.
Any help would be appreciated.  For what it's worth, here is a shortened
version of what I have:

$ firstName = "$_POST[form_firstName]";

$ lastname = "$_POST[form_lastName]";

$query = mysql_query("INSERT INTO customers (`cust_first`,`cust_last`)
VALUES ('$firstName','$lastName')");

Ben Miller

PHP General Mailing List (
To unsubscribe, visit:

I like to use

htmlentities should not be used on the data before it goes into the database. If used it should be used on data coming out of the database.

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to