----- Original Message -----
From: hassan el forkani <[EMAIL PROTECTED]>
Sent: Tuesday, August 07, 2001 07:32
> greetings;
> i'm not sure if this is a mysql or php issue so i'm posting to both lists,
> i'm developping a community web site with news, forums......;
> while working on the admin section i noticed this behaviour:
> on my hosting platform (linux)
> i need to replace single quotes by \' to properly insert the data into the
> database and avoid errors
> on my dev machine (win98) there is no need to do so as single quotes are
> properly inserted and attempting to escape them actually inserts \'
> of ';
> so the same code does not have the same output on windows and linux
> can someone explain??

Well, what I use for any form fields that may have special characters in
them (text, textarea) is a combination of htmlspecialchars() and
addslashes() on input, and stripslashes() on output - for example:

$textfield = "some&strange'text";
$escaped = addslashes(htmlspecialchars($textfield));
$sql = "INSERT INTO table VALUES (textfield), ('$escaped')";
... db query ...;

now, the special characters such as ampersand are converted into their hex
equivalents, and any characters that need to be escaped are escaped
properly... All you need to do now is remember to use stripslashes() on

$sql = "SELECT textfield FROM table WHERE id = '1'";
... db query ...;
echo stripslashes($textfield);

for more info see the appropriate manual pages:

Hope this helps

Anton Stroganov

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to