Mysql + php with special characters like '(Apostrophe) and " (Quotation mark)

Always at least use mysql_real_escape_string when adding user-provided values into the Database. You should look into binding parameters or mysqli so your query would become:

INSERT INTO `table` (`row1`) VALUES (?)

And ? would be replaced by the actual value after sanitizing the input.

In your case use:

$result = mysql_query("INSERT INTO `table` (`row1`) VALUES ('".mysql_real_escape_string($_POST['text'])."') ") or die(mysql_error());

Read up on SQL Injection. It's worth doing right ASAP!

Your sql string will be:

INSERT INTO `table` (`row1`) VALUES ('google's site')

Which is not a valid statement. As Nanne wrote, escape the string at least with mysql_real_escape_string : http://php.net/manual/en/function.mysql-real-escape-string.php

And read about sql injection http://en.wikipedia.org/wiki/SQL_injection

Think a bit: if someone posts this: $_POST['text'] with value: ');delete from table;....

Your can say good bye to your data :)

Always filter/escape input!

EDIT: As of PHP 5.5.0 mysql_real_escape_string and the mysql extension are deprecated. Please use mysqli extension and mysqli::escape_string function instead

Mysql + php with special characters like '(Apostrophe) and " (Quotation mark)

Tags:

Mysql

Sql

Php

Apostrophe

Related

Recent Posts