Re: [SQL] What do I need to escape in an Insert ?

> On Fri, 31 Jul 1998, Daniele Orlandi wrote:
> > Suppose I'm going to insert the content of a <TEXTAREA> in a
> > table.  Obviously, there will be characters that could potentially
> > confuse the SQL statement. What (and how) do I need to escape the
> > data to make it acceptable for an Insert ?  I currently use the
> > PHP's addlashed function, is it enought ?
>
> I'm not sure if PHP's addslashes command will take care of single
> quotes, I haven't tried it yet. I believe the proper escape for a
> single quote in SQL is to put another single quote in front of it.
> So if a person's last name is "O'Brien" it would be inserted as:
>
> INSERT INTO personel (fname,lname) VALUES ('Michael','O''Brien');
>
> So what I do is a Regular Expression Replace in PHP, like this:
>
>    $lname = ereg_replace("'", "''", $lname);

But this does not handle backslashes in the string.  I think the PHP
function does both.

--
Bruce Momjian                          |  830 Blythe Avenue
maillist@candle.pha.pa.us              |  Drexel Hill, Pennsylvania 19026
  +  If your life is a hard drive,     |  (610) 353-9879(w)
  +  Christ can be your backup.        |  (610) 853-3000(h)