Jump to content

Data not escaped in the database.


david91

Recommended Posts

Ok. That's how it should be done, when no magic_quotes are enabled

 

<?php

mysql_connect('localhost','root','');
mysql_select_db('test');
mysql_query('CREATE TABLE IF NOT EXISTS emopoops (emo VARCHAR(200))');

$string = "O'reilly c:\\wamp\\www";

echo $string.PHP_EOL;  // echoes: O'reilly c:\wamp\www
$stringEscaped = mysql_real_escape_string($string);

echo $stringEscaped.PHP_EOL;  //echoes: O\'reilly c:\\wamp\\www

mysql_query("INSERT INTO emopoops (emo) VALUES ('$stringEscaped')");

$result = mysql_query('SELECT * FROM emopoops');
$row = mysql_fetch_assoc($result)
echo $row['emo'].PHP_EOL; //echoes: O'reilly c:\wamp\www

mysql_query('DROP TABLE emopoops');

 

As you can see, no stripslashes is needed.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.