• PHP Help PHP Databases

  • [RESOLVED] What's proper way to use "mysql_real_escape_string" function in db INSERT query?

Hello;

The PHP Manual says to always use mysql_real_escape_string when runing a MySQL query. It looks like the Manual says to use the mysql_real_escape_string function when doing both a SELECT query and an INSERT query.
http://www.php.net/manual/en/function.mysql-real-escape-string.php

I'm primarily concerned with the MySQL INSERT query.

The magic_quotes directive is turned "On" in the PHP server configuration for my hosting.

The Manual says (under "Notes" about 1/4 way down the page) that if magic_quotes_gpc is enabled to first apply stripslashes/COLOR in order to avoid the string being backslashed twice before inserting into the db.

But my problem is that if I do as the Manual says the data gets inserted into the db without being backslashed at all. I am using the phpMyAdmin to look at the db tables.

// This results in no backslashes in the $Article data in the db.
// The data should have one backslash using this code.
$Article = stripslashes($Article);
$Article = mysql_real_escape_string($Article);

If I do this there is one backslash, not two, looking at the db table with the phpMyAdmin program:

// This adds one backslash like so \' and \" to the $Article data.
// The $Article data should have two backslashes (which would be wrong)
$Article = mysql_real_escape_string($Article);

Can anybody shed some light on the right way to use the mysql_real_escape_string when doing a MySQL database INSERT query?

Thanks.

    If you look at the already inserted data, you expect that there will not be any additional backslashes. After all, you are concerned with escaping the data being inserted, so the data is not kept in escaped form.

      If I'm reading you right what you're saying is that if I use mysql_real_escape_string on a string before I put it into the db I don't need to have backslashes inserted in the db table?

      I have been using addslashes/COLOR to add the slashes to the string before inserting into the MySQL db. In other words, I don't need to use addslashes/COLOR or anything other than the mysql_real_escape_string?

        You only need to use mysql_real_escape_string(). Additionally, if magic_quotes_gpc is in effect, you want to first do a stripslashes() before doing the mysql_real_escape_string(), otherwise you'll end up adding unwanted backslashes into the query string. Thus the "Best Practice" example on the mysql_real_escape_string page first checks to see if magic_quotes is turned on, then doing a stripslashes if it has.

          laserlight, NogDog;

          Thanks for responding and helping out with my question.

          I'm re-designing my web site. I's odd but about a year and a half ago when first programming the web site I never noticed the mysql_real_escape_string function in the PHP Manual.

          It says that the mysql_real_escape_string function has been in effect since PHP ver. 4.3.0. I'm glad I found it this time.

          Thanks again.

            Write a Reply...