OK I'm stumped - mysql_real_escape string

Hello,

Right on my server I have magic_quotes turned off, so take this insert form WITHOUT mysql_real_escape_string:


   if (isset($_POST['Submit'])) {
	
      $username = $_POST['username'];
      $password = $_POST['password'];
	  
	 echo $SQL = "Insert into test (username,password) values('$username','$password')";
	 $RES = mysql_query($SQL) or die(mysql_error());
	 
	 }
echo '
<form action="" method="post">
Username: <input type="text" name="username" /><br />
Password: <input type="text" name="password" /><br />
<button name="Submit" type="submit" value="Submit">Submit</button>
</form>';

Now, if I add the details:

username: look’s
password: good’s

The $SQL is echoed as:


Insert into test (username,password) values('look\\'s','Good\\'s')

Now if I then ADD mysql_real_escape_string to my php script:


      $username = mysql_real_escape_string($_POST['username']);
      $password = mysql_real_escape_string($_POST['password']);

and add the same details I now get three slashes?


Insert into cb_test (username,password) values('Look\\\\\\'s','Good\\\\\\'s') 

This right? Is this the way queries should go into my database in order to prevent mysql_injections?

Thanks

register globals or magic quotes? You referred to RG in your last post.
Try this:


if(isset($_POST['Submit'])) {
    echo $_POST['username'];
}

If there is a slash then then MQ is on. How are you turning them off? .htaccess or php.ini file?
Is this your local machine, or live server (shared?)

Also check for magic_quotes_runtime, maybe that’s throwing a spanner in the works?

Magical quotes isn’t off. You may think it is, but it isn’t. print_r the $_POST as cranial-bore suggested and you’ll see.

Thanks, but nope and this is what I don’t get. Nothing linked to this file in terms of any global included files with addslashes or anything. Simply that the form data with the mysql_real_escape function and register globals set to off saves the data inputted as:

What’s
Occurrings’s

to MYSQL as:

What\'s
Occurring\'s

with this simple script:


   if (isset($_POST['Submit'])) {
	
      $username = mysql_real_escape_string($_POST['username']);
      $password = mysql_real_escape_string($_POST['password']);
	  
	 echo $SQL = "Insert into test (username,password) values('$username','$password')";
	 $RES = mysql_query($SQL) or die(mysql_error());
	 
	 }
echo '
<form action="" method="post">
Username: <input type="text" name="username" /><br />
Password: <input type="text" name="password" /><br />
<button name="Submit" type="submit" value="Submit">Submit</button>
</form> 
';

I don’t see why mysql is saving the slashes in the database

No.

Using mysql_real_escape_string doesn’t acually add the slashes into the database it just adds them to the query so that the quote doesn’t result in the data and command getting confused. (An easier way to ensure that can’t happen is to use prepare statements with eithe mysqli_ or PDO).

Are you sure that the fields are not being passed through addSlashes() somewhere before reaching the database call since that is the way you’d normally code it if you have magic_quotes off and need that effect and that is what appears to be happening.