Home/ Questions/Q 8694891
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T00:53:47+00:00

Question, if you mysql_real_escape_string your variable, how can it still work with you SELECT

  • 0

Question, if you mysql_real_escape_string your variable, how can it still work with you SELECT SQL query. For example:

My row has a column that holds the value 's-Gravenmoer. Now The user types in 's-Gravenmoer and I will escape this entered value for safety. However, the row with the
colums that holds the value 's-Gravenmoer is never going to pop up, it added slahes
before the single quote. If there a way to do this with mysql_real_escape_string?

Thanks guys!
Sander

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You misunderstand the point of escaping data for SQL usage. It doesn’t permanently modify the data. Think of it as wrapping paper around a gift. You’re making a gift of some data to the database, and such you wrap it up nicely (real_escape_string). Once it reaches the database, the DB server unwraps the gift (removes the escaping) and puts the ‘gift’ into its stash.

    At no time would the backslashes you added EVER appear in the stored data, because they’re removed by the DB server as it’s doing the actual insertion. The escapes are there purely to ensure that whatever data you’ve inserted into the query do not “break” the SQL statement, e.g.

    $name = "Miles O'Brien"; // <---note the '
$sql = "INSERT INTO people (names) VALUES ('$name')";

    resulting sql:

    INSERT INTO people (names) VALUES ('Miles O'Brien')
                                           ^--- oops, string terminated earlier, what's this "Brien" field/keyword?

    with real_escape_string, your query looks like

    ... VALUES ('Miles O\'Brien')
                    ^^---no longer an SQL string delimiter, treat it like any other char now.
    • 0