Home/ Questions/Q 4125352
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T23:51:30+00:00

Before I put data into my database I pass it through mysql_real_escape_string . If

  • 0

Before I put data into my database I pass it through mysql_real_escape_string.

If I want to copy that same data into another table, do I need to pass it through mysql_real_escape_string again before I copy it?

I wrote a small script to test the issue and it looks like the answer is yes:

$db = new AQLDatabase();
$db->connect();

$title = "imran's color";
$title = mysql_real_escape_string($title);
$sql = "insert into tags (title, color) values  ('".$title."','@32324')";
$db->executeSQL($sql);

$sql = "select * from tags where color = '@32324' ";
$result = $db->executeSQL($sql);
while($row= mysql_fetch_array($result))
{
    $new_title =  $row['title'];
}

$new_title = mysql_real_escape_string($new_title);
$sql = "insert into tags (title, color) values  ('".$new_title."','DDDDD')";
$db->executeSQL($sql);

NOTE: If I remove the second mysql_real_escape_string call, then the second insert won’t take place

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Are doing something like this?

    1. save mysql_real_escape_string($bla) to database
    2. fetch $bla from database
    3. save $bla again (in another table..)

    Fetching $bla from the database will “unescape” it so it could be a harmful string again. Always escape it again when saving it.

    • 0