I have a form on my website that allows a person to insert information. I'm trying to prevent from a mysql attack so I decided to try and fix that by not allowing apostrophe's into my mysql database. I'm using the str_replace function.
When visitor enters information this is the path the variable takes before entering into my database but for some reason apostrophe's are being accepted into my database and I don't know why. Any help would be appreciated.
What am I doing wrong here?
$dealership = $_POST['dealership'];
$dealership = mysql_real_escape_string($dealership);
$dealership = stripslashes($dealership);
$dealership = capitalize($dealership); (my own function)
$dealership = trim($dealership);
$dealership = eregi_replace(",", "", $dealership);
$dealership = str_replace("'", "", $dealership);