php mysql special character escape

how to process php vars before trying to execute query? e.g. i am trying to inser开发者_如何学运维t text with ",' but it query couldn't execute? what is the best way to solve this with PDO class?

many thanks

Perhaps PDO::quote is what you are looking for: http://php.net/manual/en/pdo.quote.php

Take a look at both addslashes() and mysql_real_escape_string(). What's happening here is that a ' is a special character, meaning MySQL will treat it as part of it's syntax, instead of treating it as a string like you want. addslashes or mysql_real_escape_string will add a backslash \ before all single and double quotes (and others) to make them not part of the MySQL syntax.

You can use mysql_real_escape_string($string) to escape your incoming string so that ' and " will be escaped.

You should bind your PHP variables, not escape them.

$variable = "''''''''''''''''''";
$sth = $dbh->prepare('SELECT * FROM table WHERE column = ?');
$sth->execute(array($variable));