submitting varchar string from form / escape characters

hi all,

I am using pgsql with php and have the following
problem:
I have a form which lets the user dynamically select a
table, after this query he gets a list of possible
attributes, after selecting one he can do a subquery
and select a second attribute, and an operator, and a
value. after this I put the final sql query string
together like:
$sql = "SELECT $attribute FROM $table WHERE $attribute2
$operator $value";
this string is now submitted to another php document
doing the query and tabing the results out. if $value
is a number, everything works fine, but if $value is a
string with several words, commatas and/or spaces
inside, I get an error message. when I try to do
something like "'".$value."'" I always get: ERROR:
parser: parse error at or near "\"

I tryed all possibilities of escape characters I could
think of. If somebody knows what I am missing, help
would be apreciated.


Tom

Get your free mail account @ http://www.20min.ch - Your Urban Update Tool