Quote:
Originally Posted by Frodo  It escapes nasty charters in you sql statements. It's essential to stop mysql injection attacks.
Your insert code should look like this: PHP Code: $content = $_POST['content'];
$dbcontent = mysql_escape_string($content);
$sql="insert into some_table(msContent) values ('".$dbcontent."')";
$result = mysql_query($sql,$conn) or die("Fail");
|
It should go before your insert/update. It will turn this
Code:
insert into some_table(msContent) values ('This is some content with " in it and ' in it and things like that')
into
Code:
insert into some_table(msContent) values ('This is some content with \" in it and \' in it and things like that')
It sounds like you have other functions that are causing this problem, like the html_entities function that goergie mentions.