Apostrophe in form causing Error Number: 1064

[eluser]loopymonkey[/eluser]
I have a form with a field called comments, and every time i use an ' in the form I get an error number 1064. For example in my comments field i will type "This's my comment", and I will get this error:

An Error Was Encountered

Error Number: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's my Comment')' at line 1

INSERT INTO participants (id, YourName, email, comments) VALUES(NULL, 'TEST NAME', '[email protected]', 'This's my Comment')

I have global xss_filtering on, and I'm using a model for form input:

Code:

<?php
class Form_model extends Model
{    
  function Form_model()
  {
    parent::Model();
  }
  function add_participant()
  {
    $YourName = $this->input->post('YourName');
    $email = $this->input->post('email');
    $comments = $this->input->post('comments');
    $this->db->query("INSERT INTO participants (id, YourName, email, comments) VALUES(NULL, '$YourName', '$email', '$comments')");
  }
  function list_participants()
  {
    $query = $this->db->query("SELECT * FROM participants");
    return $query;
  }
}
?>

any help or leads appreciated!

[eluser]Craig A Rodway[/eluser]
You have a couple of options - have a look here.

I'd recommend the Query Bindings option, so your query would be:

Code:

$sql = "INSERT INTO participants (id,YourName,email,comments) VALUES (NULL, ?, ?, ?)";
$this->db->query($sql, array($YourName, $email, $comments));

[eluser]loopymonkey[/eluser]
That was it! thanks! Query bindings seem like the way to go.