Jump to content

mysql_real_escape_string() doesn't work


Monsignor

Recommended Posts

Hello all, I'm trying to clean up some user input for my database but the mysql_real_escape_string function doesn't seem to work, and neither does addslashes(). I've browsed the net and made sure I'm connected to the database before the function is called. I can't figure out what I'm doing wrong. Here's the relevant part of the code:

 

<?php

mysql_connect("localhost","adminname","adminpassword") or die (mysql_error());
mysql_select_db("databasename") or die (mysql_error());

$comment=mysql_real_escape_string($_POST['commentbox']);

?>

 

...and then the result is put into the database along with some other data.

 

The database entry is correct, except, when I check the database or echo the result I get the same thing that was entered into 'commentbox'. For instance, if I enter "I am very 'confused' by this" into the box, the same string will be found in the database table. No slashes, just quotes. Anyone have an idea what's wrong with this? Because it all seems simple and correct but doesn't work.

Link to comment
Share on other sites

mysql_real_scape_string escapes special characters that can be harmful to the sql.. it won't do anything to normal characters..

 

From what I understand, it's supposed to add a backslash in front of each quote so as to prevent injection. My problem is, why doesn't it?

Link to comment
Share on other sites

mysql_real_scape_string escapes special characters that can be harmful to the sql.. it won't do anything to normal characters..

 

From what I understand, it's supposed to add a backslash in front of each quote so as to prevent injection. My problem is, why doesn't it?

It DOES. The slashes tell the MySQL engine to treat those characters after the slash as literal characters and to treat it as part of the text value and not as a delimiter (i.e. quotes marks used to delineate a string). But, it does NOT insert the slash. That would just be stupid. If mysql_real_escape_string() was not working, your query would be failing due to the single quotes.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.