you need to take a look at mysql_real_escape_string [php.net] and also stripslashes [php.net] in case you need to display the data after insert

Hello,

Use addslashes.

So if its
$str = "Hey O'brain";

and you use addslashes like:
echo addslashes($str);

than it should come out:
Hey O\'brain.

Peace :D

Thanks! Worked great.

you're better off using mysql_real_escape_string as it is more secure

you're better off using mysql_real_escape_string as it is more secure

I'd put that more strongly: you should never, ever write variable data that originated outside your program to a MySQL database without quoting it using mysql_real_escape_string.

Would something like this work?

$result=MYSQL_QUERY("INSERT INTO $table wf_FirstName1,wf_LastName3)",
"VALUES ('$wf_FirstName1', '$wf_LastName3')",
mysql_real_escape_string($wf_FirstName1),
mysql_real_escape_string($wf_LastName3));

It would look more like this:

$result=mysql_query("INSERT INTO $table wf_FirstName1,wf_LastName3) VALUES ('".mysql_real_escape_string($wf_FirstName1)."', '".mysql_real_escape_string($wf_LastName3)."')";

:)

Now should i use the escape string agrument for ALL the values being inserted into the db or just the ones that might include an apostrophe? Im kinda getting the feeling that it would be needed to be added to every value being inserted to avoid SQL Injection Attacks? Am i right to assume this?

>>>Am i right to assume this?

Yes you are, however, I was unsure if

$table

was defined from the client or by you in the script before the query. If any variable is put into a query where its value comes from user input then it must be escaped first.

Also, i was looking at the beggingni and closing " and (). Can you double check to make sure that the statment is correctly written to begin and end the " and () because the statement starts off ass (" but ends with )"

You're right! I don't usually put the query within the mysql_query function so I forgot to this time ;)

$result=mysql_query("INSERT INTO $table wf_FirstName1,wf_LastName3) VALUES ('".mysql_real_escape_string($wf_FirstName1)."', '".mysql_real_escape_string($wf_LastName3)."')"[b])[/b]; 

Good luck!

One more question,

("INSERT INTO $table wf_FirstName1,wf_LastName3)

Is there supposed to be a ) at the end of wf_LastName3?

Because that leaves an extra ) at the end of the statment

Haha...I'm just not thinking properly today, huh? I'm actually missing a parenthesis:

$result=mysql_query("INSERT INTO $table [b]([/b]wf_FirstName1,wf_LastName3) VALUES ('".mysql_real_escape_string($wf_FirstName1)."', '".mysql_real_escape_string($wf_LastName3)."')"); 

Perfect! Thank You Very Much! I will try this out and will post the results. I really do appreciate your help!

It worked Great! Thank You!

Nice! Glad to see you got it sorted :)