's Foot
Moderator: General Moderators
-
Mightywayne
- Forum Contributor
- Posts: 237
- Joined: Sat Dec 09, 2006 6:46 am
's Foot
Sorry, I don't have a better name for the topic. I have no idea what to call the problem.
What's happening is I'm trying to insert the word "Rabbit's Foot" into the database, and it's giving me an SQL error saying it can't insert "s foot" into the DB.
Every option I've tried makes it have a / in the database, which I don't want.
What's happening is I'm trying to insert the word "Rabbit's Foot" into the database, and it's giving me an SQL error saying it can't insert "s foot" into the DB.
Every option I've tried makes it have a / in the database, which I don't want.
Just a thought, would a \' work? Also, if I understand PHP correctly, if you use a " you can add a ' within it. Seriously, it would help if you posted the code that fails it unless you're directly adding it through a CLI in which case this topic may be in the wrong forum. I could be wrong altogether as I come to PHP from a Python background where quotes do very interesting things.
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
That's what mysql_real_escape_string() does.Daron wrote:Just a thought, would a \' work?
-
Mightywayne
- Forum Contributor
- Posts: 237
- Joined: Sat Dec 09, 2006 6:46 am
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
It escapes characters, which is what the '\' does, plus some. That's why there's a mysql_real_escape_string() as well as the older, outdated mysql_escape_string(). There's even addslashes() which only adds '\' on quotation marks and apostrophes.Daron wrote:More seriously, is mysql_real_escape_string() more secure than \ or does it matter?
That's pretty typical with any programming language. You have to escape your literals. Mircrosoft seems to have ruined many into thinking that it was literal when using \. In any language I've ever seen, in order to get a \ to be counted as literal, you need to do a \\. That's just in case you didn't know, otherwise I'm just assuming too much.Mightywayne wrote:I see. I wasn't aware that it magically stripped the slashes from the input. I thought what I saw as output was true. Thanks folks!
Thanks, I'll have to look into those.superdezign wrote:It escapes characters, which is what the '\' does, plus some. That's why there's a mysql_real_escape_string() as well as the older, outdated mysql_escape_string(). There's even addslashes() which only adds '\' on quotation marks and apostrophes.Daron wrote: More seriously, is mysql_real_escape_string() more secure than \ or does it matter?
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
mysql_real_escape_string() is favored over the other functions. It is much more thourough than adding a slash '\" or using addslashes().
Well,Everah wrote:mysql_real_escape_string() is favored over the other functions. It is much more thourough than adding a slash '" or using addslashes().
that's enough for me to use it. Thanks.This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
And here are some examples of the said exceptions: http://www.webappsec.org/projects/articles/091007.shtml (shameless, yet relevant plugDaron wrote:Well,that's enough for me to use it. Thanks.This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.