MySQL_real_escape_string not adding slashes?

Question

So I do this:

   <?php
    session_start();
    include("../loginconnect.php");
mysql_real_escape_string($_POST[int]);
    $int = nl2br($_POST[int]);
    $query = "UPDATE `DB`.`TABLE` SET `interests`='$int' WHERE `user`='$_SESSION[user]'";
    mysql_query($query) or die(mysql_error());
    mysql_close($con);
    ?>

And let's say that $_POST[int] is "Foo' bar." The single-quote remains unescaped AND I get a MySQL error when running the script, due to the quote. What's wrong?

I also tried using $_POST['int'] with quotes, but that fails too. — user569322
– user569322, Commented Jul 8, 2011 at 17:16

Álvaro González · Accepted Answer · 2011-07-08 17:22:12Z

2

m_r_e_s() RETURNS the escaped value, it doesn't modify the original.

$int = mysql_real_escape_string($_POST['int']);

$query = "UPDATE ... interests = '$int' ...";

Note that I've added quotes around the int in the POST value. Without the quotes, PHP sees it as a constant value (e.g. define()). If it doesn't find a constant of that name, it politely assumes you meant it to be used a string and adjust accordingly, but issues a warning. If you had done

define('int', 'some totally wonky value');

previously, then you'd be accessing the wrong POST value, because PHP would see it as $_POST[some totally wonky value] instead.

edited Jul 8, 2011 at 17:22

Álvaro González

147k45 gold badges282 silver badges378 bronze badges

answered Jul 8, 2011 at 17:15

Marc B

362k44 gold badges433 silver badges508 bronze badges

Sign up to request clarification or add additional context in comments.

4 Comments

user569322 Over a year ago

But in the database, the data remains unescaped. Why?

Marc B Over a year ago

Because the escaping is removed as part of going into the database. Escaping is only useful for the actual query portion, when you're building the SQL statement. After that, MySQL knows EXACTLY where things are, and there's no way for a "naughty" value to leak out. In a vague way, escaping is like handcuffs on a prisoner while transferring between facilities. Once the prisoner's in the new jail, the handcuffs are removed.

user569322 Over a year ago

So the data is still safe, even though I can't see the slashes?

Álvaro González Over a year ago

@Marc, I've taken the freedom of adding the quotes around the argument, I've assumed you forgot them.

Paul Sonier · Accepted Answer · 2011-07-08 17:16:31Z

2

You're not using the results of mysql_real_escape_string in your query. Try doing this:

$int = nl2br(mysql_real_escape_string($_POST[int]););

answered Jul 8, 2011 at 17:16

Paul Sonier

39.6k3 gold badges81 silver badges118 bronze badges

Comments

Mike · Accepted Answer · 2011-07-08 19:04:22Z

0

You should be using prepared statements. It has a slight learning curve over mysql_* functions, but is well worth it in the long run.
You should quote your strings, like $_POST['int'] instead of $_POST[int].
At the top of your file put error_reporting(-1);

answered Jul 8, 2011 at 19:04

Mike

24.5k14 gold badges84 silver badges93 bronze badges

Collectives™ on Stack Overflow

MySQL_real_escape_string not adding slashes?

3 Answers 3

4 Comments

Comments

Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

4 Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related