Hi leegold,
I don't know what mysql_real_escape_string would do, because it isn't a
standard-php-function. So I don't regard it and talk about the basics.
In fact you have a string delimiter in "Librarian's Edition" so you have to
escape it to make MySQL know where the string really ends.
There are two possibilities:
1. Double the quote to "Librarian''s Edition" with
$descrip_field=str_replace("'","''",$$descrip_field);
2. Use addslashes (as you described) to create "Librarian\'s Edition".
Both ways work. The disadvantage of the second one is, that you might get
back a "Librarian\'s Edition" when you select from the database. In that
case you can't decide whether the user wanted that content or it occurred
because of escaping. Therefore I would always recommend the first way and
never(!) trust on any automatic escaping PHP would do for you.
By the way... you might get more probs when you have backslashes in you
strings. You should double them, too.
Frank
> I fixed it. But I'm not clear on why. The following code ie. taking
> the content and blatently putting the content through addslashes():
>
> $descrip_field=addslashes($descrip_field);
>
> Fixed it. But the code:
>
> if (!get_magic_quotes_gpc()) {
> $descrip_field = mysql_real_escape_string($descrip_field);
> }
>
> Did *not* fix it. So, to simplify this. Why would addslashes work and
> the other code (which I see often as a "recommend" way to escape) not
> work? This is a PHP question I suppose but I wanted to end the thread.
> Sorry if I did not supply enough info up front for you to support.
>
