mysql_real_escape_string()

Deansatch · #1 (**permalink**) 03-07-08, 06:02 AM

I have started using mysql_real_escape_string() on all fields posted from forms to go in to my database. I previously used striptags() and addslashes().
It seems to work ok but if I type something with quotes
e.g.
I said "hello"

it updates the db fine but when I output it back into a form field, the quotes are gone along with anything after them.

Should mysql_real_escape_string() only be used for login scripts?

Deansatch · #2 (**permalink**) 03-07-08, 06:06 AM

Actually, I just noticed I get the same problem using addslashes() instead. What's going on?

Nico · #3 (**permalink**) 03-07-08, 06:06 AM

You don't need addslashes() if you use mysql_real_escape_string(). It'll take care of the slashes.

Not sure why your quotes would disappear, though? Do you mean the quotes do appear in your database, and only disappear when outputting them?

Deansatch · #4 (**permalink**) 03-07-08, 06:11 AM

Ah sorted! I used htmlentities when outputting. The quotes were disrupting my form field html.

That aside, am I doing the right thing replacing all my previous addslashes($_POST['blah']) with mysql_real_escape_string($_POST['blah'])?

When is it not wise to use mysql_real_escape_string()?

Nico · #5 (**permalink**) 03-07-08, 06:18 AM

It's always wise to use mysql_real_escape_string() when inserting data to the database. It's much more secure than addslashes(). For numeric values you should use intval(), though.

Take a look at the manual page for more info: www.php.net/mysql_real_escape_string

Maybe you want to look at the user comments too, for more info and tips.