Jump to content

Archived

This topic is now archived and is closed to further replies.

GingerRobot

mysql_real_escape_string

Recommended Posts

Just a couple questions on which i want to check the answer.

If i use mysql_real_escape_string, i do not need to add slashes and i can also turn off magic_quotes_gpc, is that correct?

And secondly, if i am using mysql_real_escape_string, do i still need to strip slashes after retrieving information from the database?

Thanks,

Ben

Share this post


Link to post
Share on other sites
Myql_real_escaspe_string does the same as using addslashes, htmlspecialchars, htmlentities (with ENT_QUOTES)

No you dont need to use stripslashes. PHP will remove these automatically, even if you have magic_quotes_gpc disabled.

When using mysql_real_escape_string you need to be connect to MySQL to use it.

Share this post


Link to post
Share on other sites
Ok, thanks for the help but one further question

You say that i do not need to use stripslashes because PHP does that for me. Is that only if i use mysql_real_escape_string? If i were to use addslashes on data to be inserted into a database, i would need to use stripslashes on retrieval?

I already do use mysql_real_escape_string, but im just trying to fully understand the differant ways in which it works.

Share this post


Link to post
Share on other sites
Yeah when the data is called out of the database PHP/MySQL get rid of the slashes, at least it does it with me. PHP has magic_quotes_gpc disabled.

Share this post


Link to post
Share on other sites
I did a bit of testing and incase anyone is interested...
With magic_quotes_gpc off, if you do not do anything to a string such as ' and try to enter it into the database you get an error. If you apply mysql_real_escape_string() to it, it enters it into the database, although, interestingly, it does not enter the version with the slashes applied, rather it simply shows ' Unless, of course, phpMyAdmin has stripped the slashes which is a possibility. However, if you echo the string after applying mysql_real_escape_string, it shows up as \'.

And yes, whe you retreive the data, there is no need for stripslashes.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.