Page 1 of 1

sql injection

Posted: Sat Apr 24, 2010 12:45 pm
by m2babaey
Hi
I usually use mysql_real_escape_string($_POST['field']) to avoid sql injection
But this time The form inputs contains single quotes and when I use mysql_real_escape_string it adds a lot of \\\ to the input. It causes problems. In addition I noticed $_POST adds a \ before single quotes, maybe I don't need mysql_real_escape_string anymore?

Any idea?
Thanks in advance

Re: sql injection

Posted: Sat Apr 24, 2010 1:00 pm
by requinix
No. You still need it.

What you don't need is the magic_quotes INI setting. Disable that.