Haig Dedeyan wrote:
Hi everyone,
I'm starting to experiment with an edit form and I am seeing the following
behaviour:
$fname = mysql_real_escape_string($fname);
$lname = mysql_real_escape_string($lname);
$sql = "UPDATE phonedir SET fname = '$fname',lname = '$lname' WHERE id=$id";
$result = mysql_query($sql);
echo mysql_error() . "\n";
This will result in the addition of the slashes.
If I do the following, there are no slashes. Just wondering if I'm on the
right path with the 1st code set..
$sql = "UPDATE phonedir SET fname =
'".mysql_real_escape_string($fname)."',lname =
'".mysql_real_escape_string($lname)."' WHERE id=$id";
$result = mysql_query($sql);
echo mysql_error() . "\n";
Cheers
Haig
I highly recommend you switch to prepared statements and not use
mysql_real_escape_string
Prepared statements is the right way, and you don't end up with slashes.
http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
