php \ escap special character problem

sinkingfish

Im trying to update an ms sql db but im strugglin with the pesky single quote. To update the db i need to covert a " ' " to " '' ". Then i try this i end up with a \. Really annoying.

$storyfixed = eregi_replace("'", "''", $story);

and


$storyfixed = eregi_replace('\'', '\'\'', $story);

are both producing the same problem

"help me'o" gets transformed into:--> 1, 'help me\''o', 'blank', CURRENT_TIMESTAMP

Anybody got any ideas?

Mr. Magoo

This should do it

$storyfixed = str_replace("'",'"',$story);

sinkingfish

Thanks for the help, we were both close...

this worked : $storyfixed = str_replace("\'","''",$story);

A little bit of trial and error!

phil

There's an addslashes() function in PHP which does this. You should be aware of SQL injection vulnerabilities you are opening yourself up to whenever you insert anything into an SQL database from user input fields.

It's normally wiser to use some of the database abstraction libraries knocking around like adodb.

TimTim

phil wrote:

There's an addslashes() function in PHP which does this. You should be aware of SQL injection vulnerabilities you are opening yourself up to whenever you insert anything into an SQL database from user input fields.

It's normally wiser to use some of the database abstraction libraries knocking around like adodb.

While I don't claim to be an anyway decent php coder. I've read/heard using addslashes() and stripslashes() in a php application is just a plain stupid thing to do.

If you are going to be using user input and putting it into a sql database mysql_real_escape_string() would better thing to use.

Inspector Gadget

I'd suggest the adodb library too (it's very handy, in my opinion) - it's got a method called qstr() that does exactly this.

Hope this helps,
Gadget