Portal Home > Knowledgebase > Articles Database > Quick one about mysql_real_escape_string
Quick one about mysql_real_escape_string
Posted by spykee, 02-23-2012, 08:46 PM |
I'm currently away on a holiday, so I can't test this on my LAMP server (doing some reading and browsing here since it's a bit boring ). I just want to know one thing about mysql_real_escape_string. For instance I have the following code using the said function:
I can see the difference from the two output that after mysql_real_escape_string, the output is quote\'s. Instead of the first one as quote's.
But what if you store the variable to mysql? Say I have a POST variable like that, when using mysql_real_escape_string which one is stored on the db? quote\'s or quote's?
|
Posted by quantumphysics, 02-23-2012, 08:54 PM |
NEVER ** use mysql_ functions.
Use this: http://php.net/manual/en/pdostatement.bindparam.php
|
Posted by richardhay, 02-24-2012, 08:16 AM |
I don't see why you can't use mysql_ functions in PHP, as they are supported and work well. Back to your question... The escaped string (quote\'s) will be what is inserted into the database if you use insert or update. You can use the stripslashes() php command to remove the escaped characters for display or further use.
|
Posted by Grumps, 02-24-2012, 07:25 PM |
well, quote's is stored in mysql. But quote\'s is part of the query that's sent to mysql.
Though, bit off topic, pdo vs normal mysql
http://stackoverflow.com/questions/1...-mysql-connect
|
Posted by mg-, 02-24-2012, 07:59 PM |
Why would you say ***NEVER***
|
Posted by quantumphysics, 02-24-2012, 08:21 PM |
Because it isn't the 18th century.
If you don't like PDO, at least use mysqli_ and bind_param.
|
Posted by Whiteshizzle, 02-25-2012, 09:12 AM |
Indeed, It's always better to use PDO or mysqli over hacking strings together to create SQL queries.
|
Add to Favourites Print this Article
Also Read