I tried to use the above 2 functions to escape the string before inserting into the database. But after done, I checked the string in the database, it's not escaped. For example, I inserted "what's your mother's middle name", and escaped with either of the functions, and then use the select * from table_name, and found the string is still "what's your mother's middle name". However, I tried to echo the escaped string after executing one of the 2 functions, it's "what\'s your mother\'s middle name". By the way, I'm testing it on my own windows vista home laptop, with php, mysql, apached installed. Anybody knows what's the problem?
Actually, there is a need for mysql_real_escape_string. Addslashes (for SQL insertions) is bad and inadequate, it can still be circumvented in some cases. So, what needs to be done is disable magic quotes and use mysql_real_escape_string. Obviously you only need to do mysql_real_escape_string, not both. Besides, magic quotes is deprecated in php 5.3 and will be removed in php 6, so it's best that you update your scripts now if they rely on this feature.
Yes, I agree... actually this is the best function for your problem (ignore my first post) : mysql_real_escape_string
I'm testing with these small scripts: And the output is However, if I inserted the escaped $str into the database and then use the "select * from table_name", it's showed: What's wrong?
When you save the data into mysql database, use this $str = mysql_real_escape_string($str); PHP: When you retrieve the data from mysql and display it out, use this: echo stripslashes($data_from_sql); PHP:
All, I'm asking why mysql_real_escape_string and addslashes are not working on my windows laptop. The magic quotes is off. Can anybody help figure out what's wrong?
Obviously it's working or your query would not work. In the db, the \ are no longer visible as this is only necessary for the insertion.