Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Im using smarty and mysql_real_escape_string() for user input, and when I insert some code with ' or ' , and lookup in phpmyadmin it shows without backslashes.
When I get record from DB i doesn’t have backslashes also. But when I just pass escaped string without inserting into the db it is backslashed.
Shouldn’t it add slashes, insert with them and then I would strip them when i would output? Or am I missing something?
You’re missing it – escaping with backslashes is meant to ensure that queries aren’t malformed, e.g. something like this will surely break and possibly risk SQL injections:
and nothing will be saved in the table, whereas this:
will save the value ‘whatever ‘this’ is’ in the table.