addslashes

[The Little Guy]

Why doesn't this save the slashes when it puts it into the database but it will print them on the screen?

 

<?php
include 'db.php';
$sql = mysql_query("SELECT * from snippets WHERE id = '1'");
while($row = mysql_fetch_array($sql)){
	$v = addslashes($row['code']);
	mysql_query("UPDATE snippets SET `code` = '$v' WHERE id = '1'")or die(mysql_error());
}
echo 'Done';
?>

[roopurt18]

What do you mean exactly?  I don't see you trying to print anything to the screen?

 

In any case, the slashes added by addslashes() are stripped out by MySQL.  If you want to actually save the slashes to the database, you'd have to call addslashes() twice; I'm not sure why you'd want to do that though.

[The Little Guy]

so... addslashes once will not add slashes when It is saved to a database?

 

will It give me any errors? If you don't addslashes mysql_error will complain about quotes. So... will that stop mysql injection still if I only have on addslashes?

[dbo]

Do you understand what addslashes does? It preserves your input... it's working exactly as its supposed to and it is adding the slashes to preserve the data, the characters are treated as literals and the query won't break.

 

All that being said you should be using mysql_real_escape_string and not addslashes.

[wildteen88]

You're better of using mysql_real_escape_string over addslashes. mysql_real_escape_string is a mysql function which helps to prevent sql injection attacks.