You can use http://us.php.net/mysql_real_escape_string to escape the
input.
[8<]
You should prep your data for insertion into the data by using a tool
that formats it strictly for the database.  In the ops case
mysql_real_escape_string() is the correct tool for the job.


What about using prepared statements? This is my preferred method of "escaping output" when I'm using variables in a database query. Of course the ease and convenience of this method will depend to a great extent on what version of PHP is available on the server.

For the OP, have you read up much on SQL injection? If not, here's a decent place to start: http://www.owasp.org/index.php/SQL_injection

Ben

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to