realEscapted_inpuBox

[dotJoon]

Code:

code

<?php
echo "inputBox: ".$inputBox."<br>";
$realEscapted_inputBox=mysql_real_escape_string(trim($_POST['inputBox']));
echo "realEscapted_inputBox: ".$realEscapted_inputBox
?>

result

inputBox: myText
realEscapted_inputBox: myText

If the value of the inputBox is same as the value of realEscapted _inputBox, what is "mysql_real_escapge_string needed for?

How can I recognize the difference between plain inputBox and realEscapted_inputBox?

[Kalon]

the answers to your questions are in the manual.

I don't have time to copy and paste them here.

[dotJoon]

If binary data is to be inserted, this function must be used.

The quote above is from http://php.net/manual/en/function.my...ape-string.php

I think "0100", "1010", etc, are binary data.

What is binary data in the above?

Does it mean that an unfriendly user can send binary data through a form box?

[Jay.P]

"mysql_real_escape_string — Escapes special characters in a string for use in an SQL statement"

There's no special characters in myText, what do you expect to have changed?

[dotJoon]

There's no special characters in myText

Ah, when there are special character, realEscapted do work.
when there is no special character. realEscapted doesn't work.
Thank you.

As I test it
I found that "<" and ">" are special characters.

What other special characters are there?

[Raju Gautam]

In general meaning, this function escapes those characters which can also be used in the SQL statements. To understand the real use of it try passing single quotes with the value like "myText's value" then try to insert it to the database:

PHP Code:

$value = "john's name is John Smith";
mysql_query("insert into tbltest set name='$value'") or die(mysql_error());

$value = mysql_real_escape_string("john's name is John Smith");
mysql_query("insert into tbltest set name='$value'") or die(mysql_error()); 


Try running above two queries and find the use of mysql_real_escape_string().

[dotJoon]

PHP Code:

$value = "john's name is John Smith";
mysql_query("insert into tbltest set name='$value'") or die(mysql_error()); 


the code above causes SQL error while the code below successfully inserts the value to DB.

PHP Code:

$value = mysql_real_escape_string("john's name is John Smith");
mysql_query("insert into tbltest set name='$value'") or die(mysql_error()); 


mysql_real_escape_string() is cool.
it can insert apostrophe and prevent the opening tag "<" and closing tag ">".

I guess I should do it to every user-submit data.

[Raju Gautam]

[php]
I guess I should do it to every user-submit data.