How often do you run into a website that doesn't prepare data for database entry?

It's a bloody beginners programming error and sites that claim to be 'big' have it all over the place.

AskRobo Directory for instance. Submit a description with an apostrophe and you'll get:

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 's

when clicking the confirmation links. It happended before so I dropped them a contact enquiry but now 3 months later they haven't fixed it.

I've even seen it with e-commerce software providers. How silly is that?!

Please, everyone, addslashes is such an easy PHP function and I'm sure other languages offer the same. Prepare data prior to dumping it into a database or you'll get pissed off customers like me.

Please, everyone, addslashes is such an easy PHP function and I'm sure other languages offer the same. Prepare data prior to dumping it into a database or you'll get pissed off customers like me.Yeah I hear you tops. but just for the sake of knowledge, it is much better to use mysql_real_escape_string() (with MySQL) or one of the equivalents for other RDBMS. :D Couln't resist :p

Better yet, use mysql_escape_string (http://www.php.net/manual/en/function.mysql-escape-string.php).

Goes to show how many options, other than doing nothing, are out there.

Better yet, use mysql_escape_string (http://www.php.net/manual/en/function.mysql-escape-string.php).I hardly ever disagree with you Shawn, but look at what php.net says about mysql_escape_sring This function will escape the unescaped_string, so that it is safe to place it in a mysql_query(). This function is deprecated.

This function is identical to mysql_real_escape_string() except that mysql_real_escape_string() takes a connection handler (optional [exam]) and escapes the string according to the current character set. mysql_escape_string() does not take a connection argument and does not respect the current charset setting.

There are 2 kinds of servers out there when if comes to adding " \ "
the ones that have "magic_quotes_gpc = On" and the ones that have it Off in the php.ini file.

The ones that have it On add the " \ " for you, (most code is written for these)
The ones that have it Off are a pain in the b***

I hardly ever disagree with you Shawn, but look at what php.net says about mysql_escape_sringYou are right of course... I never use them directly, I have a database class I use to wrap around all the PHP functions (I use the mysql escape real string function in my class). :) I was just didn't bother to look that close when I posted it. hehe oops

You are right of course... I never use them directly, I have a database class I use to wrap around all the PHP functions (I use the mysql escape real string function in my class). :) I was just didn't bother to look that close when I posted it. hehe oopsNo prob, I'm just sort up a detail freak ;) BTW, I've been mulling over making a db class, just haven't gotten around to it yet. :D

No prob, I'm just sort up a detail freak ;)

Not when it comes to AdSense. Sorry for the corss-thread humor :D

Not when it comes to AdSense. Sorry for the corss-thread humor :DLOL is an understatement :D Now you're destroying my self-esteem... bad shrink:mad:

Yeah, all the servers I've ever used had magic quotes on. I guess the bottom line is always TEST your code, if you can do UAT on it... don't assume code that's worked before will work in different configurations.

You can always test to see if magic quotes is on or off at the beginning of your script, and act accordingly. Then you'll never run into a problem.