[RESOLVED] mysql_real_escape_string

tanandan

Does anyone know why the following isn't working? My data is successfully inserted into the database, but none of the fields are getting escaped.

if($_POST) {
		$date = $_POST['date'];
		$fname = $_POST['fname_prime'];
		$lname = $_POST['lname_prime'];
		$attend_mode = $_POST['attend_mode'];

	if (get_magic_quotes_gpc()) {
		$date = stripslashes($date);
		$fname = stripslashes($fname);
		$lname = stripslashes($lname);
		$attend_mode = stripslashes($attend_mode);
	} {}
		$sql = "INSERT INTO events_registrants(date, fname_prime, lname_prime, attend_mode)
			VALUES(
			'" . mysql_real_escape_string($date) . "',
			'" . mysql_real_escape_string($fname) . "',
			'" . mysql_real_escape_string($lname) . "',
			'" . mysql_real_escape_string($attend_mode) . "'
			)";
		} {}

cgraz

Please edit your post and put your code between [noparse]

[/noparse] tags so we can read it.

Where's the rest of the code? I don't see the call to mysql_query(). My first guess is that you are not connected to your database while calling mysql_real_escape_string(), and that you are connecting to it after you define the $sql variable? If so, mysql_real_escape_string won't work as it needs the MySQL function to properly escape.

bradgrafelman

tanandan wrote:
My data is successfully inserted into the database, but none of the fields are getting escaped.

Isn't that contradicting yourself? If they weren't being escaped, then the INSERT would fail. If it doesn't fail, that's because there was nothing in the string that needed to be escaped. Unless you're talking about new lines not being stored properly... I'd sure like to see an example of what you mean.

Also, if cgraz's guess is correct, turning display_errors On and setting error_reporting to E_ALL (as you should do when debugging any script...) should confirm it.

tanandan

Sorry, here is a fuller look at my code.

if($_POST) {
        $date = $_POST['date'];
        $fname = $_POST['fname_prime'];
        $lname = $_POST['lname_prime'];
        $attend_mode = $_POST['attend_mode'];

    if (get_magic_quotes_gpc()) {
        $date = stripslashes($date);
        $fname = stripslashes($fname);
        $lname = stripslashes($lname);
        $attend_mode = stripslashes($attend_mode);
    } {}
        $sql = "INSERT INTO events_registrants(date, fname_prime, lname_prime, attend_mode)
            VALUES(
            '" . mysql_real_escape_string($date) . "',
            '" . mysql_real_escape_string($fname) . "',
            '" . mysql_real_escape_string($lname) . "',
            '" . mysql_real_escape_string($attend_mode) . "'
            )";
        } {} 
if($_POST) {
			if(mysql_query($sql, $dbh)) {
			//$msg = "Your event was added to the database.";
			header("location: register_thankyou.php?eid=" . $_POST['eid']);
			}else{
				echo "crash";
				$msg = mysql_error();
				}
}

cgraz

Do a print $sql and copy/paste that to the board so we can see what your query looks like (and what's not being escaped).

tanandan

cgraz wrote:
Do a print $sql and copy/paste that to the board so we can see what your query looks like (and what's not being escaped).

It looks like the statement is getting escaped properly, but when I look in the actual database (via phpmyadmin), none of the slashes show up.

printed $sql:
INSERT INTO events_registrants(date, fname, lname, attend_mode) VALUES( '2007-06-25', 'jim\'s ', 'slim\'s', '2' )

Does the fact that my $sql variable declaration and the mysql() function are in two separate if[$_POST] statements screw things up?

cgraz

They shouldn't be. The escape character (or slash) just says to treat the following single quote as part of the string, not one of the single quotes you use to enclose your string.

tanandan

Is there another character I can test where the slash would actually appear in the database field?

cgraz

Yes. If you literally want a backslash within your string, then you need to escape it first with a backslash.

'It\'s escaped; A literal backslash \ was just inserted'

would give you:

It's escaped; A literal backslash \ was just inserted.

tanandan

Thank you. I guess I'm a little confused about when an actual escaping backslash gets inserted into the database as part of the value and then when I may have to strip it later. I was orignally taught to use addslashes() and then had to later stripslashes() anytime I'd call on the value. I may be confused as a result of how mysql_real_escape_string() and addslashes() behave differently. Or, I'm just not with it today ( or yesterday). Thanks again. I'll mark this thread as resolved.