Jump to content


Photo

mysql_real_escape_string


  • Please log in to reply
4 replies to this topic

#1 GingerRobot

GingerRobot
  • Staff Alumni
  • Advanced Member
  • 4,086 posts
  • LocationUK

Posted 08 August 2006 - 03:30 PM

Just a couple questions on which i want to check the answer.

If i use mysql_real_escape_string, i do not need to add slashes and i can also turn off magic_quotes_gpc, is that correct?

And secondly, if i am using mysql_real_escape_string, do i still need to strip slashes after retrieving information from the database?

Thanks,

Ben

#2 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 08 August 2006 - 03:35 PM

Myql_real_escaspe_string does the same as using addslashes, htmlspecialchars, htmlentities (with ENT_QUOTES)

No you dont need to use stripslashes. PHP will remove these automatically, even if you have magic_quotes_gpc disabled.

When using mysql_real_escape_string you need to be connect to MySQL to use it.

#3 GingerRobot

GingerRobot
  • Staff Alumni
  • Advanced Member
  • 4,086 posts
  • LocationUK

Posted 08 August 2006 - 03:45 PM

Ok, thanks for the help but one further question

You say that i do not need to use stripslashes because PHP does that for me. Is that only if i use mysql_real_escape_string? If i were to use addslashes on data to be inserted into a database, i would need to use stripslashes on retrieval?

I already do use mysql_real_escape_string, but im just trying to fully understand the differant ways in which it works.

#4 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 08 August 2006 - 03:48 PM

Yeah when the data is called out of the database PHP/MySQL get rid of the slashes, at least it does it with me. PHP has magic_quotes_gpc disabled.

#5 GingerRobot

GingerRobot
  • Staff Alumni
  • Advanced Member
  • 4,086 posts
  • LocationUK

Posted 08 August 2006 - 05:40 PM

I did a bit of testing and incase anyone is interested...
With magic_quotes_gpc off, if you do not do anything to a string such as ' and try to enter it into the database you get an error. If you apply mysql_real_escape_string() to it, it enters it into the database, although, interestingly, it does not enter the version with the slashes applied, rather it simply shows ' Unless, of course, phpMyAdmin has stripped the slashes which is a possibility. However, if you echo the string after applying mysql_real_escape_string, it shows up as \'.

And yes, whe you retreive the data, there is no need for stripslashes.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users