i have some HTML code saved in a PHP string
$str = "<font size=2 color=#e0e0e0>you don't have a clue</font>";
i have to write this string to DB so the $str has to become part of the query..
now whatever my query... its working fine as long as there are no 'SINGLE QUOTES in the string....
any of the following two will solve my problem
some built-in method parse a PHP string and remove all the 'SINGLE QUOTES from it... i remember mention of such a function while going through SQL Injection.
'SINGLE QUOTES submitted to DB via Query without altering Query i.e how to make this query work $str = "Don't";
mysql_query("UPDATE content SET text='".$str."' WHERE p_ID='1');
NOTE:
' submission$str comes from user input... i am using WMD and PHP Markdown, so now you know where the problem is...mysql_query("UPDATE content SET text='". mysql_real_escape_string($str)."' WHERE p_ID='1'");
Not escaping user inputs before submitting them to the database, is a security hole, it allows users to inject a tailored query chunk that will alter your original query, and execute along with it. It's not just to allow legitimate users to submit content that includes single quotations, but also to prevent evil users from sql-injecting our queries.