robert_gsfame Posted January 25, 2010 Share Posted January 25, 2010 I have used mysql_real_escape_string() and i have this \"\"james inside my database $sql=mysql_query("SELECT * FROM table"); $array=mysql_fetch_array($sql); $name=stripslashes($array['name']); sprintf("SELECT * FROM table1 WHERE name='%s'", mysql_real_escape_string($name)) In order to get another record from table1 using record from table, should i stripslashes first or not?? i really confused with this...hope anyone could help Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 25, 2010 Share Posted January 25, 2010 If your data is escaped properly, the escape characters \ DO NOT appear in the database. They are only present in the query string so that the special sql characters that are part of the data don't break the sql syntax. Quote Link to comment Share on other sites More sharing options...
robert_gsfame Posted January 25, 2010 Author Share Posted January 25, 2010 oops, but what i have here is that "\" appear in my database as a result of using mysql_real_escape_string() Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 25, 2010 Share Posted January 25, 2010 If your data is escaped only ONCE, the \ do not appear in the database. You do need to use mysql_real_escape_string on all string data put into a query. If magic_quotes_gpc is ON, you must either turn it off or you must use stripslashes() on any external (get, post, cookie) data, then use mysql_real_escape_string on it. if(get_magic_quotes_gpc()){ $var = stripslashes($var); } $var = mysql_real_escape_string($var); Quote Link to comment Share on other sites More sharing options...
robert_gsfame Posted January 25, 2010 Author Share Posted January 25, 2010 so i should do is like this $value=stripslashes($_POST['value']); sprintf("INSERT INTO table VALUES('%s')",mysql_real_escape_string($value)); am i correct??i really new to this...really appreciate your helps Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 25, 2010 Share Posted January 25, 2010 If you unconditionally use stripslashes(), that will prevent you from ever having an actual \ as part of the data on systems where magic_quotes_gpc are turned off (or under php6 where magic_quotes_gpc has finally been removed). I posted code using an if(){} statement for a reason. Quote Link to comment Share on other sites More sharing options...
robert_gsfame Posted January 25, 2010 Author Share Posted January 25, 2010 okay so i have to use get_magic_quotes_gpc() , it will look like this $value=$_POST['value']; if(get_magic_quotes_gpc()){ $var = stripslashes($value); } sprintf("INSERT INTO table VALUES('%s')",mysql_real_escape_string($value)); is this correct?? i have to check whether get_magic_quotes_gpc() is off on every string before using it in a query? Quote Link to comment Share on other sites More sharing options...
robert_gsfame Posted January 25, 2010 Author Share Posted January 25, 2010 okay so i have to use get_magic_quotes_gpc() , it will look like this $value=$_POST['value']; if(get_magic_quotes_gpc()){ $var = stripslashes($value); } sprintf("INSERT INTO table VALUES('%s')",mysql_real_escape_string($var)); is this correct?? i have to check whether get_magic_quotes_gpc() is off on every string before using it in a query? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.