On Thu, Jun 14, 2001 at 06:57:43PM -0400, Mitch Vincent wrote:
> The apostrophe being a special character in PostgreSQL (and most other
> databases), it needs to be escaped if you wish it to go nicely into a
> query..
> addslashes() and related functions will help there.
>
> Another thing to keep in mine is htmlspecialchars() -- it's very useful
> when someone might put a double quote in your form field -- which could
> seriously mess up when you have something like <INPUT TYPE="TEXT"
> NAME="Whatever" VALUE="this is what I'm "talking" about"> , sort of thing.
Also note that the PHP runtime parameter magic_quotes_gpc is usually on
by default which does the escaping by default.
- Frank