special characters break mysql insert

Question

I have a mysql statement like this:

mysql_query("INSERT INTO movies (comments, description, synopsis)
VALUES ('$_POST["comments"]', '$_POST["desc"]',$_POST["synopsis"])");

very simple and straightforward as you can see. The issue is when I enter special characters to the form, it doesnt insert the data to my table (using phpmyadmin to check directly if it was inserted). for example if i put in comments textarea this value: "this is a comment" this works if I put instead: "what's your name? : John doe is my name" it breaks.I know its because mysql uses the characters... any suggestions on what I should do ?

Answer 1

$comments = mysql_real_escape_string($_POST['comments']);
$desc = mysql_real_escape_string($_POST['desc']);
$synopsis = mysql_real_escape_string($_POST['synopsis']);

mysql_query("INSERT INTO movies (comments, description, synopsis)
VALUES ('$comments', '$desc', '$synopsis'");

Answer 2

$comments = mysql_real_escape_string($_POST['comments']);
$desc = mysql_real_escape_string($_POST['desc']);
$synopsis = mysql_real_escape_string($_POST['synopsis']);

mysql_query("INSERT INTO movies (comments, description, synopsis)
VALUES ('$comments', '$desc', '$synopsis'");

For more information google "php addslashes", or look at this page looks explanatory http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

Answer 3

mysql_query("INSERT INTO movies (comments, description, synopsis) 
VALUES ('".mysql_real_escape_string($_POST["comments"])."', '".mysql_real_escape_string($_POST["desc"])."','".mysql_real_escape_string($_POST["synopsis"])."'");