I have this code:
$var = mysqli_real_escape_string($connection,$_POST['var']);
$sql = "UPDATE users SET var = '$var' WHERE id = '$id'";
If the var is aaa
, it's ok, even if the var is aa'bbb
, but if the var is sss"ddd
- the var that updated is just sss
.
I know it's because the mysql query contains "
.
Any idea?