Jump to content

Retrieve record from database problem

robert_gsfame

By robert_gsfame
in PHP Coding Help

 Share

Recommended Posts

robert_gsfame Advanced Member

robert_gsfame

Posted
Posted

I have used mysql_real_escape_string() and i have this \"\"james inside my database

 

$sql=mysql_query("SELECT * FROM table");

$array=mysql_fetch_array($sql);

$name=stripslashes($array['name']);

 

sprintf("SELECT * FROM table1 WHERE name='%s'", mysql_real_escape_string($name))

 

In order to get another record from table1 using record from table, should i stripslashes first or not??

 

i really confused with this...hope anyone could help

Link to comment
https://forums.phpfreaks.com/topic/189717-retrieve-record-from-database-problem/
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

If your data is escaped properly, the escape characters \ DO NOT appear in the database. They are only present in the query string so that the special sql characters that are part of the data don't break the sql syntax.

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

If your data is escaped only ONCE, the \ do not appear in the database.

 

You do need to use mysql_real_escape_string on all string data put into a query.

 

If magic_quotes_gpc is ON, you must either turn it off or you must use stripslashes() on any external (get, post, cookie) data, then use mysql_real_escape_string on it.

if(get_magic_quotes_gpc()){
    $var = stripslashes($var);
}
$var = mysql_real_escape_string($var);

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

If you unconditionally use stripslashes(), that will prevent you from ever having an actual \ as part of the data on systems where magic_quotes_gpc are turned off (or under php6 where magic_quotes_gpc has finally been removed). I posted code using an if(){} statement for a reason.

robert_gsfame Advanced Member

robert_gsfame

Posted
  • Author
Posted

okay so i have to use get_magic_quotes_gpc() , it will look like this

$value=$_POST['value'];

if(get_magic_quotes_gpc()){

    $var = stripslashes($value);

}

sprintf("INSERT INTO table VALUES('%s')",mysql_real_escape_string($value));

 

is this correct?? i have to check whether get_magic_quotes_gpc() is off on every string before using it in a query?

 

 

robert_gsfame Advanced Member

robert_gsfame

Posted
  • Author
Posted

okay so i have to use get_magic_quotes_gpc() , it will look like this

$value=$_POST['value'];

if(get_magic_quotes_gpc()){

    $var = stripslashes($value);

}

sprintf("INSERT INTO table VALUES('%s')",mysql_real_escape_string($var));

 

is this correct?? i have to check whether get_magic_quotes_gpc() is off on every string before using it in a query?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.