You can use http://us.php.net/mysql_real_escape_string to escape the
You should prep your data for insertion into the data by using a tool
that formats it strictly for the database. In the ops case
mysql_real_escape_string() is the correct tool for the job.
What about using prepared statements? This is my preferred method of
"escaping output" when I'm using variables in a database query. Of
course the ease and convenience of this method will depend to a great
extent on what version of PHP is available on the server.
For the OP, have you read up much on SQL injection? If not, here's a
decent place to start: http://www.owasp.org/index.php/SQL_injection
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php