i have an ajax form posting into a sql db and would like to backslash single, double quotes and the backslash itself, this doesnt seem to work from a <input /> field



$old = $_POST['title'];

$newTitle = trim( preg_replace('/\\\\/','\\\\\\\\',$old) ); // backslash a backslash \\
$newTitle = trim( preg_replace( '/[\"]/', '\"', $old ) ); // backslash the double quotes \"
$newTitle = trim( preg_replace( '/[\']/', '\"', $old ) ); // backslash the single quotes \'

mysql_query("UPDATE `mytable` SET title ='$newTitle' WHERE id='$id'");


would i have to turn all those regex into 1 concise statement?

No. Perhaps you could, perhaps not, or there might be a PHP function or functions that do all those things even more concisely. If you don't though, you would have to chain them. Here's one way:


$old = $_POST['title'];

$newTitle = trim( preg_replace('/\\\\/','\\\\\\\\',$old) ); // backslash a backslash \\
$newTitle = trim( preg_replace( '/[\"]/', '\"', $newTitle ) ); // backslash the double quotes \"
$newTitle = trim( preg_replace( '/[\']/', '\"', $newTitle ) ); // backslash the single quotes \'

mysql_query("UPDATE `mytable` SET title ='$newTitle' WHERE id='$id'");

But I think addslashes():

http://www.php.net/manual/en/function.addslashes.php

will do it all for you in one pass.

when i create a file to output the result it almost works, but the single quote is coming out as a double
this was my input

/ \ ' "



$File = "test.txt";
$Handle = fopen($File, 'w');
$Data = "$newTitle";
fwrite($Handle, $Data);
fclose($Handle);


output from text file:


/ \\ \" \"


but in mysql i dont get the backslashes and the single quote comes out as double

/ \ " "

That's probably something in your regular expression(s). Have you tried addslashes? It's designed for entering data into a database, specifically to escape the \, ' , and " characters. Assuming the rest of your code is right, I think it would go like:


$old = $_POST['title'];

$newTitle = trim( addslashes($old) ); // add slashes

mysql_query("UPDATE `mytable` SET title ='$newTitle' WHERE id='$id'");

thank you, that did it. my problem was in the html output. is there a php function that can turn these slashes into a format that is displayable?

<input class='textfield' type='text' title='title' value='a \' \" / \\ v' />

i tried htmlspecialchars() but it doesnt take care of the single quote



re: this did it in the html output


$newTitle = htmlspecialchars($title, ENT_QUOTES);