mysql_real_escape_string issue

[AdamB]

Hello,

 

I'm having a problem with mysql_real_escape_string in an application I'm writing. Whenever I escape a string I get an error back because the database cannot then insert it:

 

function add_user($firstname, $lastname, $telephone, $email) {
$query = "INSERT INTO tblusers (firstname, lastname, telephone, email, active) VALUES('$firstname', '$lastname', '$telephone', '$email', '1');";
$query = mysql_real_escape_string($query);
mysql_query ($query) or die ('Could not add caseworker.');
}

 

I know the slashes are being added correctly because I've echo'ed the query post-escaping.

Have I misunderstood the use of the function or is there something else I need to use?

 

Thanks!

 

Adam

[Mchl]

You should not escape whole query, you should escape individual variables that go into query instead.

 

function add_user($firstname, $lastname, $telephone, $email) {
$firstname = mysql_real_escape_string($firstname);
$lastname = mysql_real_escape_string($lastname);
$telephone = mysql_real_escape_string($telephone);
$email = mysql_real_escape_string($email);
$query = "INSERT INTO tblusers (firstname, lastname, telephone, email, active) VALUES('$firstname', '$lastname', '$telephone', '$email', '1');";
mysql_query ($query) or die ('Could not add caseworker.');
}

[DarkWater]

You completely misunderstood how to use the function.  You don't escape the whole query string.  You need to escape all of the individual variables you're using in the query.

[PFMaBiSmAd]

Individual pieces of data are escaped, not the whole query as that would break the quotes that are part of the query syntax.

[.josh]

mysql_real_escape_string sucks.  Be a man. Use regex. It'll put hair on your chest.