I have a page on a client's website that is used to update comapany news.
There are a couple of PHP scripts to update or add news items. The problem is that any time there is a quotation mark in the text of the news item, MySQL interprets it as the end of the string and then ends up returning a syntax error.
Is there anyway to make MySQL ignore the quotation marks inside the query?
I know how to do this when I echo html, but it doesn't seem to work the same way for the MySQL query.
A quick word on Magic Quotes. Although it can be very tempting to use, they can prove to be a nightmare on portability. I highly advise against it unless you have a particular reason that they are needed. Standardization is good - magic quotes are not standard. :) Stick with add/strip slashes.
Another thing to note is that if you are taking any user variable and running a sql query with it, you will want to run addslashes first. Even if the input is done on a drop down box w/ two choices. Inputs to a script can always be changed by a malicious user. Imagine if your yes/no input got changed to the string '";DROP *;' where the double qoutes are actually part of the string. The ; would indicate the end of 1 mySql query and the beginning of the next one. While the first one may return invalid, the next one will delete the entire database (oh fun, huh?).