mysql_real_escape_string() : Works or not?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Aristona
Forum Commoner
Posts: 33
Joined: Thu Dec 02, 2010 8:14 am

mysql_real_escape_string() : Works or not?

Post by Aristona »

Hey,

I just wrote my database class. I am sanitizing each parameter with mysql_real_escape_string() automatically.

This is the query output after sanitization:

Code: Select all

UPDATE PAGE SET content = 'Hello world. \';();\'' WHERE id = '11'
As you can see, it automatically adds backslashes to the left side of ' characters, however, when I browse my MYSQL table, I can't see these \ symbols.

So my question is, what could be the reason I can't see backslashes in my MYSQL table? Is it a normal thing?
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: mysql_real_escape_string() : Works or not?

Post by twinedev »

The backslashes are so that SQL knows that those single quotes are part of the string, and NOT closing the string. Therefore you will not see them in the database.

-Greg
Aristona
Forum Commoner
Posts: 33
Joined: Thu Dec 02, 2010 8:14 am

Re: mysql_real_escape_string() : Works or not?

Post by Aristona »

Hey greg,

Thanks for your reply.

Does this mean I should not be worrying about SQL Injection? (cause I thought mysql_real_escape_string() wasn't working properly due to no backslashes in database.)
Aristona
Forum Commoner
Posts: 33
Joined: Thu Dec 02, 2010 8:14 am

Re: mysql_real_escape_string() : Works or not?

Post by Aristona »

Bumpin' once.
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: mysql_real_escape_string() : Works or not?

Post by twinedev »

As long as you properly quote the strings in your SQL and then use mysql_real_escape_string() will all values in between, then you should be safe.

-Greg

PS, no need to "bump" the thread, it just show impatience especially in such a short period of time. It doesn't make someone reply faster, and for some people will tend to push them off from trying to contribute since they come here for the enjoyment of helping others, not deal with neediness that they probably get from their day jobs doing this.
Aristona
Forum Commoner
Posts: 33
Joined: Thu Dec 02, 2010 8:14 am

Re: mysql_real_escape_string() : Works or not?

Post by Aristona »

I create a query like this:

$database->Query('UPDATE X Set A = %s, B = %s', $blablaA, $blablaB);

Query function in my database class splits every %s, then replaces them with for the each parameter with ( ' . mysql_real_escape_string($variable) . ' )
Ex: ' . mysql_real_escape_string($blablaA) . '

When I echo the final query, I see it automatically adds backslashes to inputs, so probably the script is working.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: mysql_real_escape_string() : Works or not?

Post by social_experiment »

http://php.net/manual/en/function.mysql ... string.php
@OP More information on the subject and have a look at example 1, looks similar to your script.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply