Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
When I use mysqli->real_escape_string and add a string value to the db such as “who’s”, it adds the string without modifying the quote in any way. When I check the db, the value within it is “who’s”.
When I do not use mysqli->real_escape_string and add a string with a single quote like “who’s”, it just doesn’t get added to the database. It is nowhere to be found.
This isn’t normal, is it?
Yes, it is. It’s a little difficult to answer this question in any more detailed a way than that.
real_escape_string()only escapes the data so it can be safely used in a query, it doesn’t modify it in any way. When you don’t escape it, the query has a syntax error in it so it fails – and the data is not inserted.However the safest way to escape your data is to use prepared statements.