divinedesigns1 Posted November 3, 2015 Share Posted November 3, 2015 (edited) so i keep getting this error, i try to escaping the double and single quotes but nothing seem to be working but if i remove the single and double quotes myself it gets save no problem Errors: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's G-Shock anti-magnetic X-Large G watch features a 51mm wide by 17mm thick black' at line 1 this is the code im using to escape the single and double quotes $detail = str_replace('"','"',$detail);$detail = str_replace("'","'",$detail); any tips or hint will be useful Edited November 3, 2015 by DDs1 Link to comment Share on other sites More sharing options...
Ingolme Posted November 3, 2015 Share Posted November 3, 2015 You shouldn't have to escape quotes. Use the features built into the database library to handle sanitizing the data. What database library are you using? 1 Link to comment Share on other sites More sharing options...
divinedesigns1 Posted November 3, 2015 Author Share Posted November 3, 2015 You shouldn't have to escape quotes. Use the features built into the database library to handle sanitizing the data. What database library are you using? mysqli Link to comment Share on other sites More sharing options...
divinedesigns1 Posted November 3, 2015 Author Share Posted November 3, 2015 You shouldn't have to escape quotes. Use the features built into the database library to handle sanitizing the data. What database library are you using? i sanitized it and that worked Link to comment Share on other sites More sharing options...
Ingolme Posted November 3, 2015 Share Posted November 3, 2015 It's best if you use prepared statements, which completely remove the need to sanitize the data, as stated here: http://php.net/manual/en/mysqli.real-escape-string.php#102639 You can't use a string escape to sanitize numbers, for example. Link to comment Share on other sites More sharing options...
divinedesigns1 Posted November 3, 2015 Author Share Posted November 3, 2015 It's best if you use prepared statements, which completely remove the need to sanitize the data, as stated here: http://php.net/manual/en/mysqli.real-escape-string.php#102639 You can't use a string escape to sanitize numbers, for example. thats what im using, maybe i shouldnt use sanitized to describe the use of mysqli real escape string Link to comment Share on other sites More sharing options...
Ingolme Posted November 3, 2015 Share Posted November 3, 2015 I linked to a particular comment on the page, not to the page itself. 1 Link to comment Share on other sites More sharing options...
justsomeguy Posted November 3, 2015 Share Posted November 3, 2015 When you use prepared statements you don't need to use functions to try and escape the data. You should always use prepared statements when dealing with any user-supplied data in a query. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now