I have a script that inserts variables into a database something like:
INSERT INTO `table_name` (`text1`,`text2`,`text3`,`text4`) VALUES ('$text1', '$text2', '$text3', '$text4')
as you can see it puts the variables directly into the database, now if one of those variables has a ' in it it would mess up the the sql statement. How should I avoid this? I was thinking of using str_replace and replace ' with \' but that doesn't work. Any Ideas? I know there is a simple solution I just can't think of it right now.