John W. Holmes wrote: > Then make sure $name has all single quotes escaped within it. If all of > them are escaped, then it's just a string and can't do any harm. If they > aren't escaped, then the user can break out of your own SQL and put > their own.
I'm confused about when I should escape single or double quotes. Should all quotes be stored as \" or \' in a database as well? Regarding your suggestion above, is this what I should do? ... $name = "John AND fname = 'Mary'"; $name = addslashes($name); // $name now holds: "John AND fname = \'Mary\'" This forces MySQL to read \' as a character rather than as the beginning of a variable value. So, in essence, this would produce a mySQL error instead of executing the query, is that correct? Monty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php