You can use to escape the
You should prep your data for insertion into the data by using a tool
that formats it strictly for the database.  In the ops case
mysql_real_escape_string() is the correct tool for the job.

What about using prepared statements? This is my preferred method of "escaping output" when I'm using variables in a database query. Of course the ease and convenience of this method will depend to a great extent on what version of PHP is available on the server.

For the OP, have you read up much on SQL injection? If not, here's a decent place to start:


PHP General Mailing List (
To unsubscribe, visit:

Reply via email to