mysql_real_escape_string adds 3 slashes

[NathanLedet]

Very simple form to put data into a database...

 

$firstname = mysql_real_escape_string($_POST['firstname']);

 

if i put in firstname as something like tes't, it outputs tes\\\'t

???

[d.shankar]

Thats what the fucntion does . it escapes single quotes to backslashes to avoid SQL injection attacks.

 

What are u trying to achieve ?

[NathanLedet]

I'm just trying to secure the form to prevent injection attacks.

 

I thought it was supposed to add only 1 slash.

 

Is it because of magic quotes?

[d.shankar]

Yes turn it off !

[NathanLedet]

I found this function and it works well

$dbh=mysql_connect ("localhost", "user","pass") or die(mysql_error());
function escape_data ($data) {
        global $dbh; 
        if (ini_get('magic_quotes_gpc')) {
            $data = stripslashes($data);
        }
        return mysql_real_escape_string(trim($data), $dbh);
    } 
$firstname = escape_data($_POST['firstname']);

 

Now...is it considered bad practice to put data into a database with \' or \" ? I would say yes, because Now I have to use stripslashes($firstname) whenever I'm pulling it out just so it looks right...but how do I put $firstname into the database and ensure it's safety?

[PFMaBiSmAd]

The escape characters \ in a query are not inserted into the database. However, if you are getting \ in data after it has been retrieved from a database, it is because of the magic_quotes_runtime setting, which should be turned off as well.