mysql_real_escape_string

**MilchstrabeStern** · Jul 3, 2006 19:22

From php.net:

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

I am using the function as follows:

PHP Code:


    $dc_link ='empty';

    

    //name formatting

    $dc_name = strip_tags($dc);

    $dc_name = mysql_real_escape_string($dc_name);

    

    //check if the corps has a link (most div 2 and 3's do not).

        $dc_link = str_replace('<a href = "','<a href="http://www.dci.org', $dc);



    

    $sql =  "SELECT * FROM dci_corps WHERE name ='$dc_name'";

    $result_corps = mysql_query($sql);

    $row = mysql_fetch_row($result_corps);

    

    if (DB::isError($result)) {    

        die($result->getMessage().mysql_error());

    }



    

    if ($row[0]==0) {

        echo "drum corps does not exist.. adding";

        //insert data for each drum corps if new event

        $insert = "INSERT INTO dci_corps (id,name,link) VALUES (0,'$dc_name','$dc_link')";

        $result = $db->query($insert);

            

        if (DB::isError($result)) {    

            die($result->getMessage().mysql_error());

        }



    }

But when used that way, sing quotes (or anything else as far as I know) are not escaped. According to php.net the function "calls MySQL's library function mysql_real_escape_string." So does the function need to be used within the query?

**aamonkey** · Jul 3, 2006 19:40

It looks like you are using the function correctly... the function does not need to be used within a query, you can use the function anytime as long as you have established a connection to your database. If the function is not working and you do not get any errors with error_reporting(E_ALL) then I dunno...

you aren't expecting the actual entries in the database to have slashes in them are you? because it only prepares the data with prepending slashes so that it won't mess up a db insert query...the actual data in the database will not contain slashes.

**MilchstrabeStern** · Jul 3, 2006 19:47

I get no Warning or Notice errors (with all error reporting on). But if I try inserting a name that is like "St. John's" it fails because of the " ' "

Which shouldn't be happenning if mysql_real_escape_string is working.

**aamonkey** · Jul 3, 2006 20:38

what happens when you change that chunk of code to this:

PHP Code:


     $dc_link ='empty'; 
         
        //name formatting 
        $dc_name = strip_tags($dc); 
        $dc_name = mysql_real_escape_string($dc_name); 
         
        //check if the corps has a link (most div 2 and 3's do not). 
            $dc_link = str_replace('<a href = "','<a href="http://www.dci.org', $dc); 
     
         
        $sql =  "SELECT * FROM dci_corps WHERE name ='$dc_name'"; 
        $result_corps = mysql_query($sql) or die ('error: ' . mysql_error()); 
        $row = mysql_fetch_row($result_corps) or die ('error: ' . mysql_error()); 
         
   
         
        if ($row[0]==0) { 
            echo "drum corps does not exist.. adding"; 
            //insert data for each drum corps if new event 
            $insert = "INSERT INTO dci_corps (id,name,link) VALUES (0,'$dc_name','$dc_link')"; 
            $result = $db->query($insert); 
                 
     
        }

...also if the query fails when you insert strings with "'" in them, you must be getting some error message--what is the exact message?

**gog** · Jul 4, 2006 02:10

Try using instead of

PHP Code:


    $dc_name = strip_tags($dc);

    $dc_name = mysql_real_escape_string($dc_name);

    $dc_link = str_replace('<a href = "','<a href="http://www.dci.org', $dc);

this

PHP Code:




    $dc_link = str_replace('<a href = "','<a href="http://www.dci.org', $dc); 



    /**

     * Escape strings so they can be inserted into database querys

     *

     * @param string $value String or number that goes into query

     * @todo if PHP < 4.3 use mysql_escape_string in place of mysql_real_escape_string

     */

    function quoteSmart($value)

    {

        // Stripslashes

        if (get_magic_quotes_gpc()) {

            $value = stripslashes($value);

        }

        // Quote if not a number or a numeric string

        if (!is_numeric($value)) {

            $value = mysql_real_escape_string($value);

        }

        return $value;

    }



    $dcname = quoteSmart($dc);

    $dclink = quoteSmart($dclink);

**MilchstrabeStern** · Jul 4, 2006 07:42

I've used a very similar function from PHP.net before with the same results. I'll give it a shot again though tonight and see how it goes.

User Tag List

Thread: mysql_real_escape_string

Thread Tools

Display

mysql_real_escape_string

Bookmarks

Bookmarks

Posting Permissions