I know this is a big topic, but also a very confusing one. I have searched the forum for an answer to my question but have not received one yet. Hopefully this is just a short answer. Anyway here it is:

I am using the function myAddSlashes. Which checks if the magic_quotes are off or on. My question is do you need to addslashes if the quotes are off if you use mysql_real_escape_string() ?

Also if magic_quotes are on will mysql_real_escape_string() mess up the data and double the slashes?

Basically what I am getting is no matter what the outcome, can I do the real escape before any data to the database? If magic quote are on or off, or even if I already added the slashes?

Thanks!

--FrosT

    Answer to my own question:

    After trying I found that if you escape strings on variables with magic_quotes on it double escapes them, which is bad.

    Here is a new function I cooked up that I think will work good.

    	// Does a correct add slashes.
	function myAddSlashes($string) {
		return (get_magic_quotes_gpc()) ? mysql_real_escape_string(stripslashes($string)) : mysql_real_escape_string($string); 
	}

    You should be aware I store this function in my database class so I have to have a DB connection when I use it. Hope this helps some people out!

    --FrosT

      Write a Reply...