If I accidentally double escape a string, can the DB be harmed? For the

Question

0

Editorial Team

Asked: May 14, 20262026-05-14T05:21:46+00:00 2026-05-14T05:21:46+00:00

If I accidentally double escape a string, can the DB be harmed? For the

0

If I accidentally double escape a string, can the DB be harmed?

For the purposes of this question, let’s say I’m not using stored procedures or parametrized queries

For example, let’s say I get the following input:

bob's bike

And I escape that:

bob\'s bike

But my code is horrible, and escapes it again:

bob\\\'s bike

Now, if I insert that into a DB, the value in the DB will be

bob\'s bike

Which, while is not what I want, won’t harm the DB. Is it possible for any input that’s double escaped to do something malicious to the DB assuming that I take all other necessary security precautions?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-14T05:21:47+00:00

Single escaping is equally as harmful/harmless as double escaping in terms of security.

The biggest issue is that you need to double-unescape. Otherwise, if you only single-unescape, you will end up with backslashes in database output.

For example, if you run bob\\\'s bike through the unescape() function, it will output bob\'s bike which will then be printed to the page, unless you unescape it again. But don’t unescape too many times, because this can remove intentional backslashes (and possibly do more harm).

Does this question have anything to do with PHP’s magic quotes feature by chance? Just curious…

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

If I accidentally double escape a string, can the DB be harmed? For the

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply