Home/ Questions/Q 6908425
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T08:33:42+00:00

I’m trying to prevent sql injections. For this purpose I use mysql_real_escape_string(). On my

  • 0

I’m trying to prevent sql injections.
For this purpose I use mysql_real_escape_string().

On my local server (phpversion 5.3.2 ): 

$string="a'b"
$newstring=mysql_real_escape_string($string);

query("INSERT INTO .. ..field1='$newstring'");

Inserting $newstring into table puts “a’b”.
On another server (phpversion 5.2.10)it puts “a\’b” into table.

How can I allow inserting “a’b” and avoid injections?
I don’t want to make changes to INI file and magic_quotes as it can affect other queries.
I can’t use add_slashes as I will have to look for all the usages of getting the value to remove the slashes.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice. 

    if(get_magic_quotes_gpc()) {
    $newstring = stripslashes($newstring);
}
    • 0