[SOLVED] mysql_real_escape_string

[mdnghtblue]

This is probably an easy fix, but I'm still new to this stuff.

 

I have a notice field in the database, and I save it like this:

 

if ($save_notice) {
swearCheck($notice);
$notice = htmlspecialchars(strip_tags($notice));
//$notice = addslashes($notice);
$notice = preg_replace("#([\S]{60})#i","\\1 ",$notice);
$notice = substr(ereg_replace("\n\n","\n",$notice),0,1500);
$users[notice] = $notice;
saveUserData($users,"notice");
echo "Notice Saved!<BR><b>Your Notice:</b> ".nl2br(htmlspecialchars_decode($notice))."<BR>";
}

 

 

in saveUserData, I use mysql_real_escape_string before updating the database:

 

$data = mysql_real_escape_string($data);
sqlQuotes($data);
$update .= "$tmp=\"$data\"";

 

 

But the notice shows up with "rn"s where a line break should be (and in the database too). This only started happening when I added in mysql_real_escape_string. Am I using it wrong? =/

[phpzone]

 

What does sqlQuotes function do, does it also escape carriage return/linefeeds?

 

Just thinking you might be escaping twice and so not getting your \n parsed as a carriage return somewhere in

your PHP.

[mdnghtblue]

That was the problem. =) It was stripslashing it. Commented it out and it was fine.

 

// replace ' with '' to avoid malformed SQL queries
function sqlQuotes (&$str)
{
$str = str_replace("'","''",stripslashes($str));
}

 

Do I even still need this function if I'm using mysql_real_escape_string?

 

[trq]

Assuming your using mysql, this sqlQuotes function is pretty useless. mysql uses slashes to escape data, the only db's I know of that use quotes are ms ones. eg; Access and MsSql.

[mdnghtblue]

Nice. Guess I'll take it out then. Thanks very much. =)