fubowl Posted October 18, 2010 Share Posted October 18, 2010 Hey all. mysql_real_escape_string() seems to be working fine for me, but I'm wondering why the entries in the database don't reflect my SQL query. For example, here is the string php is sending to MYSQL: insert into bands (bandname, hometown, website, creation, bio, addedon) values ('band', '\'gaewg\"f gswogsw<?php OR \'\'=\' rswaiohgri ', '', '1992', '\' OR \'\'=\'', '10182010') This has already been run through mysql_real_escape_string(), but when I go to phpmyadmin here is what I see: `bands` (`id`, `bandname`, `creation`, `photo`, `bio`, `hometown`, `website`, `addedon`) VALUES (34, 'band', '1992', '', ''' OR ''''=''', '''gaewg"f gswogsw<?php OR ''''='' rswaiohgri ', '', '10182010'); My question is does it matter if it's not slashed in the database? Might be just a newbie here but isn't that how injection works? Anyhow, just let me know wise phpfreaks users. Thanks in advance. Quote Link to comment Share on other sites More sharing options...
Mchl Posted October 18, 2010 Share Posted October 18, 2010 That's how it should be. Slashes are needed for MySQL to know it has to treat the following character as a regular character, not a sepcial one. Once data is in database, there's no point in having slashes with it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.