I'm having a bit of problems here. I have a webmail client thing much like Hotmail or Yahoo. But the thing is, if you type an apostrophe (') or quotes (") anywhere in the program, you'll get a SQL Syntax Error. This only happens in about 3-5 spots I believe. I cannot turn Magic_Quotes on because it will screw up other scripts on the server. I know there is a way to make it work without Magic_Quotes, but you have to edit the php files. This is not my thing. If you can fix it for me, I will give you banner space on my site for a year. roughly getting 500 hits every 7 days. Please...Anybody, that can help, please do. No newbies either. This needs to be done by a professional. Thank you.

If you can do this for me, please email me at

Email: admin@nexusprograms.net
AIM: menatubaguy

Thank you.

Kevin Cackler

[edit] Sorry was under the assumption this was pertaining to something else. Comment retracted since I can not delete it.

I'm not sure if this will work with php and MySQL, but with ASP (using an access or SQL Server) a quick fix is just to replace every apostrophe you have with a two apostrophe's.

For example:

YourVariable=Replace(YourVariable,"'"*a,"''"*b)

*a is a single apostrophe (') enclosed in quotes
*b is 2 apostrophe's enclosed in quotes

Obviously remove the *a and *b as they are just there so you can see the apostrophe's and they don't look like quotes (")

You would then use YourVariable when building your SQL Query (which is probably already done for you in your code)

I'm sure there'd be a similar string replacing function in PHP. You'd probably only have to add a single line of code for each problem variable.

I suggested either str_relace, addslashes, or mysql_escape_string but he doesnt want to edit the code if he can avoid it

From the MySQL documentation...

A `'' inside a string quoted with `'' may be written as `'''.
A `"' inside a string quoted with `"' may be written as `""'.
You can precede the quote character with an escape character (`\').
A `'' inside a string quoted with `"' needs no special treatment and need not be doubled or escaped. In the same way, `"' inside a string quoted with `'' needs no special treatment.

Basically you need to escape the quotation mark/apostrophe. In php you can use the addslashes and stripslashes functions to do that. Basically (and this is especially easy if you programmed using OO) you need to run your strings through addslashes(); just before they're inserted, and then through stripslashes(); whenever they're retrieved.

OK guys, thanks for the help, but I got it covered. Used a .htaccess file to turn on magic_quotes for just certain directories, and it works great. Thanks

Okay, there was a much easier way to do this...

$variablename = addslashes($variablename);
The above for inserting into the database

$variablename = stripslashes($variablename);
The above for parsing information onto a page from the database.

Would have been the easiest way to do this, instead of having it done via .htaccess.

Edited: Sorry, was the same thing as the previous post, just a bit more detailed.