Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
So I do this:
<?php
session_start();
include("../loginconnect.php");
mysql_real_escape_string($_POST[int]);
$int = nl2br($_POST[int]);
$query = "UPDATE `DB`.`TABLE` SET `interests`='$int' WHERE `user`='$_SESSION[user]'";
mysql_query($query) or die(mysql_error());
mysql_close($con);
?>
And let’s say that $_POST[int] is “Foo’ bar.” The single-quote remains unescaped AND I get a MySQL error when running the script, due to the quote. What’s wrong?
m_r_e_s() RETURNS the escaped value, it doesn’t modify the original.
Note that I’ve added quotes around the
intin the POST value. Without the quotes, PHP sees it as a constant value (e.g. define()). If it doesn’t find a constant of that name, it politely assumes you meant it to be used a string and adjust accordingly, but issues a warning. If you had donepreviously, then you’d be accessing the wrong POST value, because PHP would see it as
$_POST[some totally wonky value]instead.