I have the following select statement: $res = mysql_query(select * from Table where Name='{$_REQUEST[‘name’]}’);

Question

0

Asked: May 18, 20262026-05-18T02:48:22+00:00 2026-05-18T02:48:22+00:00

I have the following select statement: $res = mysql_query(select * from Table where Name='{$_REQUEST[‘name’]}’);

0

I have the following select statement:

$res = mysql_query("select * from Table where Name='{$_REQUEST['name']}'");

However, since this kind of query is prone to SQL injection, I am using a more secured way for the selection:

$escaped_name=mysql_real_escape_string($_REQUEST['name']);
$res = mysql_query("select * from Table where Name='{$escaped_name}'");

It all works fine until I try to run the selection with a $_REQUEST['name'] that contains the string Joel's .In that case the selection doesn’t work. After debugging and printing the content of $escaped_name to the screen, I got the following:

Joel\\\'s

What is the reason for this? It seems like the string was escaped automatically, and then I escaped it again.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-18T02:48:23+00:00

Editorial Team

2026-05-18T02:48:23+00:00Added an answer on May 18, 2026 at 2:48 am

The data was probably auto-escaped by PHP’s (deprecated) "magic quotes" feature. To disable magic quotes in .htaccess:

php_flag magic_quotes_gpc off
php_flag magic_quotes_runtime off

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have the following select statement: $res = mysql_query(select * from Table where Name='{$_REQUEST[‘name’]}’);

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply