Hello;
The PHP Manual says to always use mysql_real_escape_string when runing a MySQL query. It looks like the Manual says to use the mysql_real_escape_string function when doing both a SELECT query and an INSERT query.
http://www.php.net/manual/en/function.mysql-real-escape-string.php
I'm primarily concerned with the MySQL INSERT query.
The magic_quotes directive is turned "On" in the PHP server configuration for my hosting.
The Manual says (under "Notes" about 1/4 way down the page) that if magic_quotes_gpc is enabled to first apply stripslashes/COLOR in order to avoid the string being backslashed twice before inserting into the db.
But my problem is that if I do as the Manual says the data gets inserted into the db without being backslashed at all. I am using the phpMyAdmin to look at the db tables.
// This results in no backslashes in the $Article data in the db.
// The data should have one backslash using this code.
$Article = stripslashes($Article);
$Article = mysql_real_escape_string($Article);
If I do this there is one backslash, not two, looking at the db table with the phpMyAdmin program:
// This adds one backslash like so \' and \" to the $Article data.
// The $Article data should have two backslashes (which would be wrong)
$Article = mysql_real_escape_string($Article);
Can anybody shed some light on the right way to use the mysql_real_escape_string when doing a MySQL database INSERT query?
Thanks.