fubowl Posted October 18, 2010 Share Posted October 18, 2010 Hey all. mysql_real_escape_string() seems to be working fine for me, but I'm wondering why the entries in the database don't reflect my SQL query. For example, here is the string php is sending to MYSQL: insert into bands (bandname, hometown, website, creation, bio, addedon) values ('band', '\'gaewg\"f gswogsw<?php OR \'\'=\' rswaiohgri ', '', '1992', '\' OR \'\'=\'', '10182010') This has already been run through mysql_real_escape_string(), but when I go to phpmyadmin here is what I see: `bands` (`id`, `bandname`, `creation`, `photo`, `bio`, `hometown`, `website`, `addedon`) VALUES (34, 'band', '1992', '', ''' OR ''''=''', '''gaewg"f gswogsw<?php OR ''''='' rswaiohgri ', '', '10182010'); My question is does it matter if it's not slashed in the database? Might be just a newbie here but isn't that how injection works? Anyhow, just let me know wise phpfreaks users. Thanks in advance. Link to comment https://forums.phpfreaks.com/topic/216156-mysql_real_escape_string-mysql-question/ Share on other sites More sharing options...
Mchl Posted October 18, 2010 Share Posted October 18, 2010 That's how it should be. Slashes are needed for MySQL to know it has to treat the following character as a regular character, not a sepcial one. Once data is in database, there's no point in having slashes with it. Link to comment https://forums.phpfreaks.com/topic/216156-mysql_real_escape_string-mysql-question/#findComment-1123369 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.