Hey, Im currently working on a small script for my website it is powered by a MYSQL DB and I have come in to one big problem… I have created a function to stop those pesky MYSQL injection’s but it likes to remove all ‘ from the text that I input. Only problem is that I can’t use it as punctuation how could I stop it form replacing ‘ with \’ So sentences like Joe’s blog’s are amazing!!! Don’t become Joe\’s blog\’s are amazing!!! All help is very much appreciated!

oh and i forgot to add that im useing mysql_real_escape_string and strip_tags

use stripslashes after reading the data out of the database. Technically though, you should be using a prepared statement & then you don't need to worry about quoting.

I'm guessing your PHP configuraion has Magic Quotes turned on: http://www.php.net/magic_quotes When Magic Quotes is turned on any data coming from a form input will automatically have slashes added to the values. Then when mysql_real_escape_string() is used it adds additional slashes on top of that! User Input: Bob's Store POST Data: Bob\'s Store mysql_real_escape_string() output: Bob\\\'s Store As Fist states you would want to run strip_slashes on the POST data and then run mysql_real_escape_string() on it. However, if you want your code to be portable - move to any server - you need to code such that it will work whether magic quotes are on or off. Instead of using mysql_real_escape_string() directly, you can create a custom function that will work no matter the environment. function dbSafe($string) { if (get_magic_quotes_gpc()) { $string = stripslashes($string); } return mysql_real_escape_string($string); } Michael J