[SOLVED] Stupid question about mysql_real_escape_string()

[JHolovacs]

I tried searching for this online, but my keywords are just too vague; I'm hoping someone knows this off the top of their head.

 

if I get a $_REQUEST variable in, i filter it thru mysql_real_escape_string as a matter of course; it makes sense to me, the security benefit is clear, but the problem is it tends to malform the data I'm trying to insert into mu MySQL database.  for example:

 

$store_name = mysql_real_escape_string($_REQUEST['store_name']);
$query = "INSERT INTO stores (store_name) VALUES ('$store_name')";
$result = mysql_query($query);

 

All is well if I enter "SpudRuckers" as the form data, but if I enter "Joe's Cheese Eatery" the data in my database shows up as "Joe\'s Cheese Eatery" which is not what I want.

 

What am I doing wrong?

[Skittalz]

Your not doing anything wrong. Its called magic quotes.

 

http://us2.php.net/magic_quotes

[kenrbnsn]

Since you have magic_quotes turned on, you should use stripslashes() before the mysql_real_escape_string():

<?php
$store_name = mysql_real_escape_string(stripslashes($_REQUEST['store_name']));
$query = "INSERT INTO stores (store_name) VALUES ('$store_name')";
$result = mysql_query($query);
?>

 

Ken

[GingerRobot]

It's also the invention of the devil. Almost.

[JHolovacs]

Thanks!

I thought it was something simple, but it was seriously throwing me for a loop.  I appreciate it.