[SOLVED] Quick question re: escaping data

[KevinM1]

It's been a while since I've had to work with a database, so I'd just like to refresh my memory.  Data that has been escaped and stored in a database (say, by using mysql_real_escape_string()) will still be output correctly, right?  So:

<?php
   $testString = "'This is a quote,' she said";

   if(get_magic_quotes_gpc()){
      $testString = stripslashes($testString);
   }

   $testString = mysql_real_escape_string($testString);

   $query = "INSERT INTO test_database (test_column) VALUES ('$testString');";
   $result = mysql_query($query);

   $query = "SELECT * FROM test_database";
   $result = mysql_query($query);
   $row = mysql_fetch_assoc($result);

   echo "{$row['test_column']}"; 
?>

 

Is the output: 'This is a quote,' she said

 

OR

 

is it: \'This is a quote,\' she said

 

?

[discomatt]

When mysql returns the strings there should be no slashes. That's part of the joys of real_escape_string.

[kenrbnsn]

That depends on whether "magic_quotes_runtime" is enabled or not. If it is not enabled, the output will be

'This is a quote,' she said

if it is enabled, the output will be

\'This is a quote,\' she said

 

Ken

[trq]

Its also how addslashes works. The slashes (escape chars) are not stored, just inserted into your queries to get the data safely into the database.

[discomatt]

That depends on whether "magic_quotes_runtime" is enabled or not. If it is not enabled, the output will be

'This is a quote,' she said

if it is enabled, the output will be

\'This is a quote,\' she said

 

Ken

 

Easily thwarted with set_magic_quotes_runtime(0)