Ok. Thought that you wanted to escape the values, not the query.

You got a hard nut to crack =3D)
I would say that it is impossible to find wich ' is correct and witch 
isnt.

-----Ursprungligt meddelande-----
Fr=E5n: Vincent, Justin [mailto:J.Vincent@e...]
Skickat: den 17 december 2002 16:58
Till: professional php
=C4mne: [pro_php] RE: SV: making sql queries safe


> No need to escape strings if magic_qoutes is enabled.
> If not, just use addslashes, stripslashes.
> For mysql use mysql_escape.
>

I'm trying to create a generic function that you
can pass an _entire_ query (as one string) into.
(That works no matter quotes on or off)

Example query..

	insert into user ('john's', 'password')

If you add slashes, as you suggest, you would get..

	insert into user (\'john\'s\', \'password\')

But what it needs to be is..

	insert into user ('john\'s', 'password')

I know that you can addslashes to the _individual_
values as you are _building_ the query... I am trying
to work with the 'built' query as a whole.

Hence the use of regular expressions..

Try the sample code I submitted and you will see
what I mean.

Cheers,
Justin :)