mysql_real_escape_string() / MYSQL question

[fubowl]

Hey all.

 

mysql_real_escape_string() seems to be working fine for me, but I'm wondering why the entries in the database don't reflect my SQL query.

 

For example, here is the string php is sending to MYSQL:

insert into bands (bandname, hometown, website, creation, bio, addedon) values ('band', '\'gaewg\"f gswogsw<?php  OR \'\'=\' rswaiohgri ', '', '1992', '\' OR \'\'=\'', '10182010')

 

This has already been run through mysql_real_escape_string(), but when I go to phpmyadmin here is what I see:

`bands` (`id`, `bandname`, `creation`, `photo`, `bio`, `hometown`, `website`, `addedon`) VALUES
(34, 'band', '1992', '', ''' OR ''''=''', '''gaewg"f gswogsw<?php  OR ''''='' rswaiohgri ', '', '10182010');

 

My question is does it matter if it's not slashed in the database? Might be just a newbie here but isn't that how injection works? Anyhow, just let me know wise phpfreaks users. Thanks in advance.

[Mchl]

That's how it should be. Slashes are needed for MySQL to know it has to treat the following character as a regular character, not a sepcial one. Once data is in database, there's no point in having slashes with it.