Member Avatar for desiguru

How do i escape a string that includes a lot of ' and "

Here is my sql inser query's some part

VALUES
('','$_POST[FileID]','$_POST[FileAddress]','$_POST[Name]','$_POST[Requirements]','$_POST[DateAdded]','$_POST[Size]','$_POST[Changes]')";
  • 3 Contributors
  • 2 Replies
  • 88 Views
  • 9 Hours Discussion Span
  • Latest Post Latest Post by buddylee17
Member Avatar for compdoc

ok its better if you assign a variable to each $_POST and use the variable in the insert query like so.

//example
$FileID = $_POST['FileID'];
$FileAddress = $_POST['FileAddress'];
$Name = $_POST['Name'];
$Requirements = $_POST['Requirements'];
$DateAdded =  $_POST['DateAdded'];
$Size = $_POST['Size'];
$Changes = $_POST['Changes'];


VALUES
('$FileID', '$FileAddress', '$Name', '$Requirements', '$DateAdded', '$Size',' $Changes')";
Member Avatar for buddylee17

You could also cleanse the complete post array:

<?php
@extract($_POST);
foreach($_POST as $key => $value){
mysql_real_escape_string($value);
}
//now do specific cleansing and insert query
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.