Yup. That breaks it! So maybe it isn't possible then..!

> -----Original Message-----
> From: Datatal AB - Gauffin, Jonas [mailto:jonas@d...]
> Sent: 17 December 2002 16:40
> To: professional php
> Subject: [pro_php] SV: RE: making sql queries safe
>
>
> Im not so good at RegExp, but what about this string:
>
> Insert into mytable values('I said: 'Hello my friend', And he
> said "I'm back"','another 'string'');
>
> -----Ursprungligt meddelande-----
> Fr=E5n: Vincent, Justin [mailto:J.Vincent@e...]
> Skickat: den 17 december 2002 17:35
> Till: professional php
> =C4mne: [pro_php] RE: making sql queries safe
>
>
> > Ok. Thought that you wanted to escape the values, not the query.
> >
> > You got a hard nut to crack =3D)
> > I would say that it is impossible to find wich ' is correct
> > and witch isnt.
>
> What about this..
>
> <?php
>
> 	function safe_query($query)
> 	{
> 			=09
> 		// Deal with all (,=3D 'add slashes' ),=3D combinations..
> 		$pattern[] =3D "/([\( ,=3D])'(.+)'([\) ,=3D])/Ue";
> 		$replace[] =3D
> "\"\\1'\".addslashes(stripslashes('\\2')).\"'\\3\"";
> 		=09
> 		// Substitute sql comments with HTML entities..
> 		$pattern[] =3D "/--/";
> 		$replace[] =3D "&minus;&minus;";
> 	=09
> 		// Note: space is always required at the end to make the
> first above regex work..
> 		return	preg_replace ($pattern, $replace,
> $query . " ");
> 		=09
> 	}
>
> echo safe_query("try putting any valid query here..");
>
> ?>
>
>
>
>