Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I just disabled magic_quotes_gpc and I notice that the user input into my database has apostrophes as if nothing was escaped.
($_POST['message'])="it's a test";
$string = mysql_real_escape_string(htmlentities($_POST['message']));
Then I insert it into the database and the database shows:
it's a test
Isn’t it supposed to be it\'s a test, after I applied mysql_real_escape_string?
Or is it the database (here, with PHPMyAdmin) that translates those \' into '?
Thanks in advance.
The purpose of escaping SQL is to avoid SQL innjection.
INSERT INTO table VALUES ('it's a test') ..would cause you trouble, but when you escape it it turns toINSERT INTO table VALUES ('it\'s a test') ..and that will work and insert “‘it’s a test'” to your database.