mysql_real_escape_string doesn't do anything?

[LLLLLLL]

Never had this one before.

 

Here's a string from a URL:

$urltext = Product_Name_'with_single_quotes'_"_B

$name = str_replace( "_", " ", $urltext );
echo 'raw: ' . $name . "<br>";
$name = mysql_real_escape_string( $name );
echo 'mysql_real_escaped: ' . $name . '<br>';

 

Doesn't seem possible, but both of the "echos" return the same string. My query fails because there are no backslashes in the SQL statement. What's going on here?

 

raw: Product Name 'with single quotes' " B

mysql_real_escaped: Product Name 'with single quotes' " B

[PFMaBiSmAd]

What does a 'view source' in your browser show of the echo'ed output from that code?

 

Also, what is the code between that code and your query? What exact error do you get from your query statement?

[LLLLLLL]

The source of the page shows:

 

raw: Product Name &#039;with single quotes&#039; " B<br>mysql_real_escaped: Product Name &#039;with single quotes&#039; " B

 

The only problem is that there are not backslashes in this string; I get the normal mysql error. I'm really just concerned with why I'm not getting the backslashes to escape the string.

[PFMaBiSmAd]

There's nothing to escape because those are not quotes. They are html entities.

 

If you want help with the mysql error, you will need to post the query and the actual msyql error you are getting.

[LLLLLLL]

I realize the source shows those are entities, but that's not what the GET array is giving me.

 

Standard unescaped query:

SELECT * FROM products WHERE name = 'Product Name 'with single quotes' " B'

 

Standard error

#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'with single quotes' " B' LIMIT 0, 30' at line 1

 

[floridaflatlander]

Are you pulling this info from a db

 

http://www.phpfreaks.com/forums/index.php?topic=330776.msg1556643#msg1556643

[LLLLLLL]

No. The original string is a GET parameter.

[PFMaBiSmAd]

I realize the source shows those are entities, but that's not what the GET array is giving me.

 

What source? What get array? To get the quickest solution to what your code is doing, post all the code needed to reproduce the problem. For all we know you aren't even using the variables you have shown in the actual query statement.

[LLLLLLL]

Gah. Nevermind. The string was getting changed to html entity by default; I decoded it with the right parameters and it worked. Sorry for this thread.

[LLLLLLL]

With all due respect, PFMaBiSmAd, the only problem was that the query wasn't being escaped. You were asking about the wrong issue.

[floridaflatlander]

Are you talking about this $urltext = Product_Name_'with_single_quotes'_"_B ?

 

[PFMaBiSmAd]

We only see the information you supply in your posts. The code you did post and the 'view source' of the echoed output from that code (you did post the view source output from those 4 lines of code?) could not have produced the query error you stated you were getting. Therefore, something in the rest of your code was not putting that data into your query, but was putting data that had actual quotes, un-escaped ones, into the query.

[LLLLLLL]

Your "view source" comment -- your first comment -- gave me the information to solve the issue, and I thank you.  But the rest of the questions were the wrong direction. I am no longer following this thread.

[Pikachu2000]

Without asking questions, there is often no way to tell what the right direction is. This is especially true when the you provide less than adequate information for anyone to help you. If you don't want to be asked questions, use Google to find your answers.