Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is mysql_real_escape_string supposed to replace both addslashes() and stripslashes()??
ie.. do I use it to encode form input variables on MySQL inserts as well as use it in place of stripslashes on MySQL select statements?
Sincerely,
Confused PHP noob
If you are using the regular MySQL driver module for PHP, then yes,
mysql_real_escape_string()is the way to go. You can ignoreaddslashes()andstripslashes()entirely, in fact.Your query creation will look something like this:
mysql_real_escape_string()should be used on any user input that is going into your query. Note that you don’t want to escape your data any other way before inserting it. You shouldn’t useaddslashes()orhtmlentities(), which are common mistakes when storing HTML fragments in a database. You should not need to unescape your data in any way after you have retrieved it.As other posters mention, there are other MySQL database driver modules for PHP, including PDO and MySQLi. Both offer a feature known as prepared statements, which is an alternative method of creating queries that handles escaping for you.