Insert textarea datas in mysql, with " or '....

I've a textarea and would like to save the content in a mysql table each
time a user click on a form.

How can I do for avoiding error when the user put a " or a ' in the message,
or any other character that may cause problems.

My query is:
"insert into questions(UserID,Question) values
(".$HTTP_POST_VARS["USERID"].",'".$HTTP_POST_VARS["QUESTION"]."')"

The problem is with QUESTION, that may have a ' in it, or ".

Bob

"insert into questions(UserID,Question) values
(".$HTTP_POST_VARS["USERID"].",'".mysql_escape_string($HTTP_POST_VARS["QUESTION"])."')"

this will work for single quotes and double quotes, but not for
`backquotes`. Most of the time I think people just shouldn't insert
backquotes :) So I normally just replace backquotes with single quotes
and the problem is solved:

"insert into questions(UserID,Question) values
(".$HTTP_POST_VARS["USERID"].",'".mysql_escape_string(str_replace("`","'",$HTT P_POST_VARS["QUESTION"]))."')"

not tested but should work :)


Bob Bedford wrote:
> I've a textarea and would like to save the content in a mysql table each
> time a user click on a form.
>
> How can I do for avoiding error when the user put a " or a ' in the
> message, or any other character that may cause problems.
>
> My query is:
> "insert into questions(UserID,Question) values
> (".$HTTP_POST_VARS["USERID"].",'".$HTTP_POST_VARS["QUESTION"]."')"
>
> The problem is with QUESTION, that may have a ' in it, or ".
>
> Bob
>