[SOLVED] mysql_real_escape_string functionality not working?

[onedumbcoder]

i have an about value that is posted.

 

when i capture it i escape it like so:

 

$iabout = mysql_real_escape_string(stripslashes($_POST['about']));

 

Lets say the value is:

 

I love "money"  and '''single quotes'''!!!x00

 

but when I look in the database

 

the value is still

 

I love "money"  and '''single quotes'''!!!x00

 

shouldnt it be now

 

 

I love \"money\"  and \'\'\'single quotes\'\'\'!!!\x00

 

since I used mysql_real_escape_string?

[rhodesa]

the function doesn't add slashes to the value when it's stored...it just escapes it so MySQL doesn't error out when inserting it into the database

[onedumbcoder]

so i should be fine? no one can do a sql injection even though it is not adding the slashes?

[rhodesa]

nope, you are all set...again, it escapes characters to stop sql injection, but doesn't alter the value the actually get's stored...make sense?

[onedumbcoder]

Yes thanks so much, I was worried that something was wrong! so i was doing this 

[PFMaBiSmAd]

mysql_real_escape_string() only protects against sql injection when used on string data put into a query (data that is enclosed in single-quotes inside the query.)

 

It does not protect against sql injection on numeric data put into a query (data that is not be enclosed in single-quotes inside the query), such as an id field. For numeric data in a query, you either need to validate that it is numeric or cast it as a numeric data type in order to protect against sql injection.

[rhodesa]

Doesn't MySQL accept single quotes around numbers?

[PFMaBiSmAd]

It does, but then it must go through the step of converting that string containing numeric digits into a numeric value (if I remember correctly it converts to a floating point data type) and that would also require that everyone actually write queries with single-quotes in things like: WHERE id = $id