mysql_real_escape_string is adding \\\' should it not just be adding \'

[tyweed]

So, I have a login page and i'm trying to avoid sql injections. I'm trying to use the mysql_real_escape_string() but for whatever reason when it checks the value in the database with using mysql_real_escape_string it is not finding the password. So i printed what the password looks like to screen and lets assume i entered the password: test's  its printed as test\\\'s  and when it looks for it in the database it is not finding test's.  Should this method just be adding a single escape. I thought it would look like test\'s after using mysql_real_escape_string any ideas whats going on?

 

 

 

$email = mysql_real_escape_string($_POST['email']  );

$password = mysql_real_escape_string( $_POST['password'] );

 

 

        print $email . " : " . $password;

 

 

 

[moselkady]

 

it is possible that your $_POST values are already escaped. in that case you do:

 

if (get_magic_quotes_gpc())
{
  $_POST['email'] = stripslashes($_POST['email']);
  $_POST['password'] = stripslashes($_POST['password']);
}

[tyweed]

yes you were right it was that magic quotes was on. I have a quick question though on when these strings are escaped and placed into the database. When they are placed into the database they are escaped now anytime you try to access anything in the database i need to add slashes? Seems kinda of a pain. Is there a better way?

[BlueSkyIS]

you only need to add slashes if the data will be placed into an apostrophe-sensitive location like a form field. what i usually do in that case is:

 

<INPUT TYPE='text' NAME='field1' VALUE='<?php echo htmlspecialchars($the_value_in_question, ENT_QUOTES);?>'>

[Fadion]

If u have access to php.ini (or a custom one on shared hosts), disable magic_quotes as they will only give u problems. It will be removed in php6, so for the sake of backward compatibility, dont use them.

 

@BluSkyIS, mysql_real_escape_string() doesnt escape only quotes and double quotes, as it is written in the manual:

 

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

 

Using htmlspecialchars() or htmlentities() with ENT_QUOTES as an optional parameter is fine in most cases, but it is highly suggested to clean data with mysql_real_escape_string() before using them in query.