Help with mysql_real_eascape_string

[Riparian]

Hi All

 

this is an old topic but I still am confused.

 

php.net says use this on an "unescaped string", so fine, I use it when inserting data and it escapes the data no trouble.

 

I then use stripslashes when displaying the text.

 

BUT

 

If i transfer content from table 1 (which has been escaped) to table 2 the escape characters disappear.

 

Dose this mean that "every" time I retrieve data from a table and then write the data back to a table (even if the data has been escaped before) to I need to use the escape string function ?

 

Any help is greatly appreciated

 

 

[PFMaBiSmAd]

The escape \ characters are not actually inserted into the database. They are only in the query string so that the special sql characters can be represented in the query.

 

If they are present in the data when you retrieve it, this is because the magic_quotes_runtime setting is on and php is automatically escaping the data when it is fetched.

 

So, yes you always need to escape data that could contain any special sql characters so that they don't break the query and can be inserted into the database.

[Riparian]

Thank you for that.

 

Something that seems to be happening thoiugh is that when I use the escape string on every write i get output like

 

john\\\\\s dog\\\\s tail

 

Can you tell me how to stop this ?

 

Thanks

[PFMaBiSmAd]

That would probably mean you are escaping data that is already escaped.

 

You either need to turn off the php settings that are automatically escaping the data (the magic quotes settings have been completely removed in upcoming php6 anyway so this is your best choice) or you need to unconditionally use stripslashes() on the data (the reason I mention unconditionally doing this is the extra logic to detect if the pertinent magic quote setting is off and jumping over a call to stripslashes() takes about the same amount of time as running stripslashes() on data that has no escape characters in it.)

 

Your problem with php adding slashes (in fact it does not escape all the characters that will break a query, so everyone needs to remove the slashes php adds and use mysql_real_escape_string() anyway) is the reason all the magic quotes settings have been removed in php6. Getting the programming language to do something that the programmer should have been doing, and only when he wanted it to be done, was yet another time waster for everyone using php.