On Mon, Mar 18, 2013 at 2:19 PM, Sebastian Krebs <krebs....@gmail.com>wrote:
> 2013/3/18 Ken Robinson <kenrb...@rbnsn.com>
> > On 18.03.2013 09:10, Norah Jones wrote:
> >> I am having an string which was have few ' (single quote) and few "
> >> (double quotes) and was not able to insert into the mysql database. I
> >> have replaced them with \' and \" and everything is fine.
> >> Though this are fine now but don't understand the working and I could
> >> have missed few corner cases also. Please suggest the working and also
> >> if there is some better way to achieve this.
> > You should be using either mysql_real_escape_string or
> > mysqli_real_escape_string (preferably the later) depending on how you're
> > accessing the DB.
> You shouldn't use ext/mysql at all!
> Use prepared statements with PDO_MYSQL or MySQLi
And here comes the flame war again...