mysql_real_escape_string

[GingerRobot]

Just a couple questions on which i want to check the answer.

If i use mysql_real_escape_string, i do not need to add slashes and i can also turn off magic_quotes_gpc, is that correct?

And secondly, if i am using mysql_real_escape_string, do i still need to strip slashes after retrieving information from the database?

Thanks,

Ben

[wildteen88]

Myql_real_escaspe_string does the same as using addslashes, htmlspecialchars, htmlentities (with ENT_QUOTES)

No you dont need to use stripslashes. PHP will remove these automatically, even if you have magic_quotes_gpc disabled.

When using mysql_real_escape_string you need to be connect to MySQL to use it.

[GingerRobot]

Ok, thanks for the help but one further question

You say that i do not need to use stripslashes because PHP does that for me. Is that only if i use mysql_real_escape_string? If i were to use addslashes on data to be inserted into a database, i would need to use stripslashes on retrieval?

I already do use mysql_real_escape_string, but im just trying to fully understand the differant ways in which it works.

[wildteen88]

Yeah when the data is called out of the database PHP/MySQL get rid of the slashes, at least it does it with me. PHP has magic_quotes_gpc disabled.

[GingerRobot]

I did a bit of testing and incase anyone is interested...
With magic_quotes_gpc off, if you do not do anything to a string such as ' and try to enter it into the database you get an error. If you apply mysql_real_escape_string() to it, it enters it into the database, although, interestingly, it does not enter the version with the slashes applied, rather it simply shows ' Unless, of course, phpMyAdmin has stripped the slashes which is a possibility. However, if you echo the string after applying mysql_real_escape_string, it shows up as \'.

And yes, whe you retreive the data, there is no need for stripslashes.