[RESOLVED] mysql_real escape string ?

Azeem12

hi i am new learner of php
and i m just confuse in one hting
can we work without handling real escape string why we make function such as
function mysql_prep($value){
$magic_quotes_active=get_magic_quotes_gpc();
$magic_enough_php=function_exists("mysql_escape_string");
if ($new_enough_php) {
if ($magic_quotes_active){ $value=stripslashes($value);}
$value= mysql_real_escape_string($value);
}else {
if(!$magic_quotes_active){ $value=addslashes($value);}
}
return $value;
}

i hope i explain my question correctly

djjjozsi

But mysql_real_escape_string() and handling magic qoutes are two different kind of tasks, but they are in a relation in a point of view.

the logic is this:

if magic qoutes is active, run stripslashes on the user input when its posted.
If magic qoutes set OFF, you should not apply stripslashes.

If you add the user inputs into an SQL string, you should apply mysql_real_escape_string() to filter user inserted SQL injections.

This little example follows this logic:

	function mres( $string ) {
    if(get_magic_quotes_gpc())
        $string= stripslashes($string);
        return mysql_real_escape_string($string);
        }

Azeem12

thanks i got it ......thanks for the help

djjjozsi

Your welcome.🙂