I believe that if this is writing to a database its better if the \ is intact, when you output the row it will not show anyhow.

The only thing is, is if you are showing the user his info after he submits it, then I believe he/she will see the \, minor issue in my eyes but it depends on your preference.

Cheers

yes i am writing to a database. Whenever the ' character is used, the data is not written and an error is shown. is there a way around this?

Your POST data is being automatically escaped, so you need to run stripslashes() on it, before storing in the database. Alternatively, encode that ' into the html for single quotes with htmlentities() (I think), I found that worked best for me.

Something like:

<?php

//assume $_POST['str'] is set to "It's Great!"

//your server escaped the ', so it's now
//"It\'s Great!" in the variable

$str = stripslashes($_POST['str']);

//now it's "It's Great!"

//you can either store it like that, or run htmlentities

$str = htmlentities($str);

//$str now set to "It&#39;s Great!"

//store in database
?>

i tried that, changed my code to..

<?php
$conn=odbc_connect('league','','');
$me=stripslashes($_REQUEST['username']);
$pass=stripslashes($_REQUEST['password']);
$clanname=stripslashes($_REQUEST['clanname']);
$email=stripslashes($_REQUEST['email']);
$clanweb=stripslashes($_REQUEST['clanweb']);
$clanshorttag=stripslashes($_REQUEST['clanshorttag']);
$clanslogan=stripslashes($_REQUEST['clanslogan']);
$clanshortmessage=stripslashes($_REQUEST['clanshortmessage']);
$clanvoipaddress=stripslashes($_REQUEST['clanvoipaddress']);
$clanvoippassword=stripslashes($_REQUEST['clanvoippassword']);
$clanvoipdescription=stripslashes($_REQUEST['clanvoipdescription']);
$me = htmlentities($me);

if (!$conn)
{
exit("Connection Failed: " . $conn);
}
$sql="Insert Into users (username, password, clanname, email, clanweb, clanshorttag, clanslogan, clanshortmessage, clanvoipaddress, clanvoippassword, clanvoipdescription) Values ('$me', '$pass', '$clanname', '$email', '$clanweb', '$clanshorttag', '$clanslogan', '$clanshortmessage', '$clanvoipaddress', '$clanvoippassword', '$clanvoipdescription')";
$rs=odbc_exec($conn,$sql);

I added $me = htmlentities($me); for test purposes but if i added the username as say... re's i got the following error...

Warning: odbc_exec(): SQL error: [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression ''re's', 'test', 'test', 'test@technik-it.co.uk', 'http://t', '', '', '', '', '', '')'., SQL state 37000 in SQLExecDirect in C:\league\registercheck.php on line 21
Error in SQL

You can't escape just one column with htmlentities, you've got to do whichever might have ' in..

tried that changed all variables have $variable = htmlentities($variable);

but still no luck if i use a '

Any ideas?! Thanks!

When you are writing form data to a database you need to use addslashes or mysql_escape_string, not stripslashes. You use stripslashes AFTER you retrieve the data.

If you have magic quotes ON on your server, then problematic quotes will automatically be escaped, if not, as mentioned earlier, you should use one of the above.

Try using addlashes when writing TO the database and stripslashes when getting the info FROM the database. I usually use str_replace with apostrophes to convert them to character entities (a la htmlentities), as this will increase SQL efficiency. Then I use str_relace to convert them back if need be.

I thought we weren't supposed to have to stripslashes() on anything out of a database - in that it should've been formatted properly in the first place.

Fatal error: Call to undefined function: addlashes() in

Doh!

oops i put addlashes not addslashes!

i still get an error...

Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression ''test\\\'s',

the error lies at line 21 which is....

$rs=odbc_exec($conn,$sql);

anyideas?!

MY CODE IS AS FOLLOWS........

<?php
$conn=odbc_connect('league','','');
$me=addslashes($_REQUEST['username']);
$pass=addslashes($_REQUEST['password']);
$clanname=addslashes($_REQUEST['clanname']);
$email=addslashes($_REQUEST['email']);
$clanweb=addslashes($_REQUEST['clanweb']);
$clanshorttag=addslashes($_REQUEST['clanshorttag']);
$clanslogan=addslashes($_REQUEST['clanslogan']);
$clanshortmessage=addslashes($_REQUEST['clanshortmessage']);
$clanvoipaddress=addslashes($_REQUEST['clanvoipaddress']);
$clanvoippassword=addslashes($_REQUEST['clanvoippassword']);
$clanvoipdescription=addslashes($_REQUEST['clanvoipdescription']);
$me = htmlentities($me);
$pass = htmlentities($pass);
$clanname = htmlentities($clanname);
$email = htmlentities($email);
$clanweb = htmlentities($clanweb);
$clanshorttag = htmlentities($clanshorttag);
$clanslogan = htmlentities($clanslogan);
$clanshortmessage = htmlentities($clanshortmessage);
$clanvoipaddress = htmlentities($clanvoipaddress);
$clanvoippassword = htmlentities($clanvoippassword);
$clanvoipdescription = htmlentities($clanvoipdescription);

if (!$conn)
{
exit("Connection Failed: " . $conn);
}
$sql="Insert Into users (username, password, clanname, email, clanweb, clanshorttag, clanslogan, clanshortmessage, clanvoipaddress, clanvoippassword, clanvoipdescription) Values ('$me', '$pass', '$clanname', '$email', '$clanweb', '$clanshorttag', '$clanslogan', '$clanshortmessage', '$clanvoipaddress', '$clanvoippassword', '$clanvoipdescription')";
$rs=odbc_exec($conn,$sql);
if (!$rs)
{
exit("Error in SQL");
}
else
{
header ('location: index.php');
}

odbc_close($conn);
;?>

Who would have thought tryin to store a ' could cause sooo much trouble!

I don't think stripslashes() is the right thing to do. You do need backslashes in front of every single quote to escape it. So you only need to do

$me = addslashes( $_REQUEST['username'] );

and don't use htmlentities().

If you insist on using htmlentities(), try

$me = htmlentities( $me, ENT_QUOTES );

Also, you might need to use html_entity_decode() after reading the data from the database to undo the effect of htmentities().

using $me = addslashes( $_REQUEST['username'] ); and removing the $me = htmlentities($me); part also gives an error!.....

Warning: odbc_exec(): SQL error: [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression''re\\\'s', 'test', 'teast', 'test@.', 'http://', '', '', '', '', '', '')'., SQL state 37000 in SQLExecDirect in C:\league\registercheck.php on line 20
Error in SQL

Line 20 is the $rs=odbc_exec($conn,$sql); part

should the part highlighted in bold be..''re\\\'s"?

Ahh! Ok! I was wrong.

\\\'

is the result of addslashes() on

\'

This means that you already have backslashes in $me due to PHP's magic_quotes feature. Turn it off if you can. If not, use this

if( get_magic_quotes_gpc() ) { 
    $me = stripslashes( $_REQUEST['username'] ); 
}

In any case, we still need to escape the single quotes somehow:

$me = str_replace( "'", "''", $me );

This doubles every single quote by replacing every single quote with two single quotes, not a double quote. I love the last sentence! Anyway, Access seems to use a different escaping mechanism for single quotes. Usually, single quotes are escaped by a backslash but Access uses two single quotes to escape one single quote. I found this info on the web and I have not tried it out myself. Please tell me if this works. I am now very curious.

ok turned magic quotes off and tried the following

This
$me=addslashes($_REQUEST['username']);
$me = htmlentities($me);

This
$me=addslashes($_REQUEST['username']);

This
$me=($_REQUEST['username']);

Non of them worked! Im fairly new to php so am unsure howto try the other things :(

Where would this go....if( get_magic_quotes_gpc() )
{ $me = stripslashes( $_REQUEST['username'] ); }

?

And this...
$me = str_replace( "'", "''", $me );

?! I currently have my code on the registercheck page, it takes vakues from the form and places them into the database

SORTED THANKS! I used what you said.....

if( get_magic_quotes_gpc() ) {$me = stripslashes( $_REQUEST['username'] ); }
In any case, we still need to escape the single quotes somehow:

$me = str_replace( "'", "''", $me );

How on earth you know that is beyond me! Im testing it with odbc at home when i eventually upload it I'll be using mysql, not sure if that will require a big change in code! I just hope that i'll be able to call the data correctly that i've written to the DB now!

Thank you very much

Your are welcome! I love sucess!

Cool, glad you got it sorted. :)

THANKS EVERYONE FOR YOUR HELP :)