John W. Holmes wrote:
> Then make sure $name has all single quotes escaped within it. If all of
> them are escaped, then it's just a string and can't do any harm. If they
> aren't escaped, then the user can break out of your own SQL and put
> their own.

I'm confused about when I should escape single or double quotes. Should all
quotes be stored as \" or \' in a database as well?

Regarding your suggestion above, is this what I should do? ...

    $name = "John AND fname = 'Mary'";

    $name = addslashes($name);

    // $name now holds: "John AND fname = \'Mary\'"

This forces MySQL to read \' as a character rather than as the beginning of
a variable value. So, in essence, this would produce a mySQL error instead
of executing the query, is that correct?


PHP General Mailing List (
To unsubscribe, visit:

Reply via email to