Monsignor Posted October 10, 2011 Share Posted October 10, 2011 Hello all, I'm trying to clean up some user input for my database but the mysql_real_escape_string function doesn't seem to work, and neither does addslashes(). I've browsed the net and made sure I'm connected to the database before the function is called. I can't figure out what I'm doing wrong. Here's the relevant part of the code: <?php mysql_connect("localhost","adminname","adminpassword") or die (mysql_error()); mysql_select_db("databasename") or die (mysql_error()); $comment=mysql_real_escape_string($_POST['commentbox']); ?> ...and then the result is put into the database along with some other data. The database entry is correct, except, when I check the database or echo the result I get the same thing that was entered into 'commentbox'. For instance, if I enter "I am very 'confused' by this" into the box, the same string will be found in the database table. No slashes, just quotes. Anyone have an idea what's wrong with this? Because it all seems simple and correct but doesn't work. Quote Link to comment https://forums.phpfreaks.com/topic/248817-mysql_real_escape_string-doesnt-work/ Share on other sites More sharing options...
AyKay47 Posted October 10, 2011 Share Posted October 10, 2011 mysql_real_scape_string escapes special characters that can be harmful to the sql.. it won't do anything to normal characters.. Quote Link to comment https://forums.phpfreaks.com/topic/248817-mysql_real_escape_string-doesnt-work/#findComment-1277829 Share on other sites More sharing options...
Pikachu2000 Posted October 10, 2011 Share Posted October 10, 2011 The slashes are an escape character. They don't actually get inserted with the data. Quote Link to comment https://forums.phpfreaks.com/topic/248817-mysql_real_escape_string-doesnt-work/#findComment-1277830 Share on other sites More sharing options...
Monsignor Posted October 10, 2011 Author Share Posted October 10, 2011 mysql_real_scape_string escapes special characters that can be harmful to the sql.. it won't do anything to normal characters.. From what I understand, it's supposed to add a backslash in front of each quote so as to prevent injection. My problem is, why doesn't it? Quote Link to comment https://forums.phpfreaks.com/topic/248817-mysql_real_escape_string-doesnt-work/#findComment-1277832 Share on other sites More sharing options...
Psycho Posted October 10, 2011 Share Posted October 10, 2011 mysql_real_scape_string escapes special characters that can be harmful to the sql.. it won't do anything to normal characters.. From what I understand, it's supposed to add a backslash in front of each quote so as to prevent injection. My problem is, why doesn't it? It DOES. The slashes tell the MySQL engine to treat those characters after the slash as literal characters and to treat it as part of the text value and not as a delimiter (i.e. quotes marks used to delineate a string). But, it does NOT insert the slash. That would just be stupid. If mysql_real_escape_string() was not working, your query would be failing due to the single quotes. Quote Link to comment https://forums.phpfreaks.com/topic/248817-mysql_real_escape_string-doesnt-work/#findComment-1277835 Share on other sites More sharing options...
Monsignor Posted October 10, 2011 Author Share Posted October 10, 2011 I see. Thank you very much for clearing that up for me. Quote Link to comment https://forums.phpfreaks.com/topic/248817-mysql_real_escape_string-doesnt-work/#findComment-1277839 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.