Question regarding mysql_real_escape_string()

[newbtophp]

If i use mysql_real_escape_string() whilst inserting data...and that data contained 'common sql injection chars' - im guessing it would escape/backslash them?

 

So say if I now wanted to select/extract that data from the DB, would the data contain the slashes or would the slashes be automatically removed/stripped?

[trq]

If your data contains slashes on the way in, it will retain those slashes.

[systemick]

You would then need to use the stripslashes function to remove them:

 

http://www.php.net/manual/en/function.stripslashes.php

[trq]

If they are a valid part of the data why remove them? If there not a valid part of the data, why store them in the first place?

 

stripslashes shouldn't ever really be needed on data coming out of a database unless it wasn't escaped properly on the way in.

[btherl]

I think what OP was asking was "If I use mysql_real_escape_string() when storing data, do I need to mysql_real_unescape_string() when I fetch it?".  The answer to that question is no.  It's only needed when the data goes in.

 

Put another way, all modifications done by mysql_real_escape_string() are removed by mysql when the data goes in.  What's stored in the db is the original data.