mysqli_real_escape_string

[ecabrera]

I don't why mysqli_real_escape_string will not add escape strings it seems like it should

$game = $_POST['game'];
$submit = $_POST['submit'];

if($submit){

require "scripts/db.ini.php";

$safe = mysqli_real_escape_string($db, $game);

$insert = "INSERT INTO `games`(`game`) VALUES ('$safe')";

mysqli_query($db,$insert);
}

Edited February 9, 2013 by ecabrera

[Technocrat]

It looks like you are using $game and not $safe in your query

[ecabrera]

No thats no it

[Technocrat]

You have the default character set, set?

 

Are you sure $db is active and connected?

 

Do you have errors and warnings on? It might be surpessing something, like its disabled or something?

 

If you do a dump or a string compare are they both exactly equal?

[ecabrera]

yes this works it inserts into the database but doesnt escape

[Jessica]

If it inserted correctly then it DID escape.

What is the string you're inserting?

[ecabrera]

im inserting I'm a "foobar" shouldnt it escape it with /

[Jessica]

Like I said. If it inserted into the DB, then it was escaped. When you query your database what do you see??

[ecabrera]

I'm a "foobar"

[tibberous]

im inserting I'm a "foobar" shouldnt it escape it with /

 

I don't think you understand what it does. It replaces a couple characters, namely ', with \' so you can insert them into the database.

 

Lets say you were inserting "Jim's Car" - if you didn't escape it, the query would fail, because the sql would read:

 

INSERT INTO `games`(`game`) VALUES ('Jim's Car')

 

So, when you escape it, it replaces Jim's Car with Jim\'s Car, you still get Jim's Car in the database, the backslashes are typically never seen.

 

 

So... yeah - thats escaping. It doesn't just randomly add slashes to strings, and you'll never see the slashes if you insert it into the database instead of print it to the screen.

[Jessica]

I'm a "foobar"

See, it worked...