[SOLVED] Slash in string and insert. Problem

[lindm]

Have searched around and this seems to be a common area for help, still need your help though...

 

In my php script I have a variable which contains html code and parts that are slashed, example:

 

$var = 'onmouseover="popup(\'Test\')" ';

 

Now I want to insert $var into a mysql database and get a syntax error which I guess is because of the backslashes. How do I come around this? Magic quotes is enabled if this helps.

 

Thanks in advance.

[lindm]

Is this perhaps the best solution?

 

$var2=mysql_real_escape_string(stripslashes($var), $con);

 

[drranch]

What does the syntax error message say?

[lindm]

The original error is:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'xxx ' at line 1

 

This however seems to work.

$var2=mysql_real_escape_string(stripslashes($var), $con);

 

 

Any ideas why I shouldn't use this? perhaps an other solution?

 

Thanks

[drranch]

The backslash is an escape charater in MYSQL and that was the reason for the error.

 

Using the new one you built is fine since using mysql escape string is escaping the backslash escape character.  You could have used two back slashes on the orginal script, since they would have represented a single backslash and not recognized by MYSQL or PHP as an escape character of a single back slash.

 

Using mysql_real_escape_String() around each variable prevents SQL injections from occuring by prepending backslashes to the following characters \x00, \n, \r, \, '," and \x1a

 

This function should always be used with few exceptions to make data safe before sending a query to MYSQL

[lindm]

Then I learned something new today too

 

Many thanks!