Boo-urns Posted March 6, 2009 Share Posted March 6, 2009 I have my data running through mysqli_real_escape_string before I send it to the database. However I notice when I look at the data in the database it appears to not be escaped. Does the mysqli class automatically escape data? As, I don't think my data is being escaped (when i set it up w/o the real_escape_string) but when I echo out the query it is. Does this version of PhpMyAdmin 2.11.9.4 display data with stripslashes? Thanks! Quote Link to comment Share on other sites More sharing options...
WolfRage Posted March 8, 2009 Share Posted March 8, 2009 gpc_magic_qoutes is probably turned on, plus you can help protect yourself from attack by using htmlentities() which will convert all symbols to html equivalents. Quote Link to comment Share on other sites More sharing options...
RussellReal Posted March 8, 2009 Share Posted March 8, 2009 basically escaping the data is to get it successfully to the database if inside your string somewhere you have a ' it will kill the query thats why it turns ' into \', but when it reaches the database it will have been escaped in the query, therefore it will show up correct in the database, you most likely as wolf states gave magic quotes on, so, you'd want to stripslahes Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted March 8, 2009 Share Posted March 8, 2009 The escape characters \ are NOT inserted into the database. They are only present in the query string to indicate which special characters are to be treated as data and which are to be treated as part of the query syntax. Quote Link to comment Share on other sites More sharing options...
RussellReal Posted March 8, 2009 Share Posted March 8, 2009 The escape characters \ are NOT inserted into the database. They are only present in the query string to indicate which special characters are to be treated as data and which are to be treated as part of the query syntax. ^^ yeah basically what I said, but probably more understandable lol Quote Link to comment Share on other sites More sharing options...
Mchl Posted March 8, 2009 Share Posted March 8, 2009 Well... with magic_quotes on the values would be escaped twice, and thus the slashes would actually be stored in database Quote Link to comment Share on other sites More sharing options...
Boo-urns Posted March 9, 2009 Author Share Posted March 9, 2009 hmm interesting. So is it best to have magic quotes off? It does look like it is on. Quote Link to comment Share on other sites More sharing options...
Mchl Posted March 9, 2009 Share Posted March 9, 2009 Yes it is. magic_quotes was a failed attempt to make scripts created by unexperiened coders more secure. magic_quotes is deprecated in PHP5 and will be removed completely in PHP6 http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc Quote Link to comment Share on other sites More sharing options...
Boo-urns Posted March 9, 2009 Author Share Posted March 9, 2009 Alrighty, I didn't rely on it anyway. Thanks for the info! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.