i have some HTML code saved in a PHP string $str = <font size=2

Question

0

Asked: May 16, 20262026-05-16T17:57:27+00:00 2026-05-16T17:57:27+00:00

i have some HTML code saved in a PHP string $str = <font size=2

0

i have some HTML code saved in a PHP string

$str = "<font size=2 color=#e0e0e0>you don't have a clue</font>";

i have to write this string to DB so the $str has to become part of the query..

now whatever my query… its working fine as long as there are no 'SINGLE QUOTES in the string….

any of the following two will solve my problem

1. some built-in method parse a PHP string and remove all the 'SINGLE QUOTES from it… i remember mention of such a function while going through SQL Injection.
  - How to allow 'SINGLE QUOTES submitted to DB via Query without altering Query i.e how to make this query work
  $str = "Don't";
  
  mysql_query("UPDATE content SET text='".$str."' WHERE p_ID='1');

NOTE:

we can’t have users to take care of it or follow a technique to have successfull ' submission
the $str comes from user input… i am using WMD and PHP Markdown, so now you know where the problem is…

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-16T17:57:27+00:00

Use mysql_real_escape_string:

mysql_query("UPDATE content SET text='". mysql_real_escape_string($str)."' WHERE p_ID='1'");

Not escaping user inputs before submitting them to the database, is a security hole, it allows users to inject a tailored query chunk that will alter your original query, and execute along with it. It’s not just to allow legitimate users to submit content that includes single quotations, but also to prevent evil users from sql-injecting our queries.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

i have some HTML code saved in a PHP string $str = <font size=2

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply