[SOLVED] mysql_real_escape_string question

[dennismonsewicz]

when using the mysql_real_escape_string you don't have to use strip_slashes do you? The escaping the string handles all of that correct?

[wildteen88]

No you don't have to use strip_slashes after the use of mysql_real_escape_string.

 

However before running mysql_real_escape_string you should first run strip_slashes encase magic quotes is enabled. Forexample

 

function makeSafe($data)
{
    // undo magic_quotes
    if(get_magic_quotes_gpc())
        $data = strip_slashes($data);

    return mysql_real_escape_string($data);
}

// example usage
$myName = makeSafe($_POST['my_name_field']);

[flyhoney]

Right

 

Maybe an example will help.

 

<?php
$string = "Something's that's need's escaping";
$query = "UPDATE table SET string = '" . mysql_real_escape_string($string) . "'";
$result = mysql_query();

$query = "SELECT string FROM table";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);

echo $row['string']; // Something's that's need's escaping
?>

 

If you are using mysql_real_escape_string to build your quere

[dennismonsewicz]

cool i appreciate it...

 

so what exactly does the mysql_real_escape_string() function do? as far as securing the post vs using strip_slashes?

[flyhoney]

mysql_real_escape_string escapes characters by adding slashes, it's similar to addslashes, but smarter.

[dennismonsewicz]

ah gotcha! Thanks yall!