mysql_real_escape_string not working

[ecabrera]

the mysql_real_escape_string does not add slashes when it enter my db y

 

if(isset($_POST['submitbtn'])){

//will open up the db connection
require_once"../includes/connect.php";

$errors = "";
$welcometitle = mysql_real_escape_string($_POST['welcometitle']);
$welcomesection = mysql_real_escape_string($_POST['welcomesection']);
$infotitle = mysql_real_escape_string($_POST['infotitle']);
$infosection = mysql_real_escape_string($_POST['infosection']);
$videotitle = mysql_real_escape_string($_POST['videotitle']);
$videosection = mysql_real_escape_string($_POST['videosection']);


if(isset($welcometitle, $welcomesection) && !empty($welcometitle) && !empty($welcomesection)){
	if(isset($infotitle, $infosection) && !empty($infotitle) && !empty($infosection)){
		if(isset($videotitle, $videosection) && !empty($videotitle) && !empty($videosection)){

	//adding them to the db
	//adding them to the db
$query = mysql_query("UPDATE `home` SET `welcometitle`=  '$welcometitle', `welcomesection`= '$welcomesection', `infotitle`='$infotitle', 
	`infosection`= '$infosection',`videotitle`= '$videotitle',`videosection`= '$videosection'") or die(mysql_error());

	header("location: http://www.website.org/control/edithome");

		}else{
			$errors = "Please fill in the Video Section";
		}
	}else{
		$errors = "Please fill in the Info Section";
	}
}else{
	$errors = "Please fill in the Welcome Section";
}

mysql_close();//will close the inlcude db connection
}

?>

[AyKay47]

it won't

[ecabrera]

y isn't it suppose to help sql injeion

[trq]

Are you expecting the slashes to show up in your database? because they won't and it's not meant to. It simply escapes special chars on the way into the database.

[ecabrera]

oh so whould i have to use the addslashes php function

[trq]

No. You don't want slashes stored in your database.

 

The idea is no different to escaping quotes within a quoted string.

 

echo 'This is some text with \'quotes\' in it.';

 

You don't expect the backslashes to show up when you echo this. The same theory applies to mysql_real_escape_string. You don't want the actual slashes stored in your database.

[ecabrera]

ok so why is it that i can stored this

 

<iframe width="280" height="280" src="http://www.youtube.com/embed/kl_etatm2BYH0?feature=player_embedded" frameborder="0" allowfullscreen></iframe>

[trq]

Why wouldn't you be able to store it?

[Nasir]

Your Simply Escaping the Single Quotes In Order To Prevent SQL Injection, What You Are Talking Is About Is Sanitizing Your Data From Any Script Injection Through POST/GET Or However Your Handling Data From Your Users.