On July 10, 2009 11:26:04 pm Haig Dedeyan wrote: > Haig Dedeyan wrote: > > Hi everyone, > > > > I'm starting to experiment with an edit form and I am seeing the > > following behaviour: > > > > $fname = mysql_real_escape_string($fname); > > $lname = mysql_real_escape_string($lname); > > > > > > $sql = "UPDATE phonedir SET fname = '$fname',lname = '$lname' WHERE > > id=$id"; $result = mysql_query($sql); > > echo mysql_error() . "\n"; > > > > This will result in the addition of the slashes. > > > > > > > > If I do the following, there are no slashes. Just wondering if I'm on the > > right path with the 1st code set.. > > > > $sql = "UPDATE phonedir SET fname = > > '".mysql_real_escape_string($fname)."',lname = > > '".mysql_real_escape_string($lname)."' WHERE id=$id"; > > $result = mysql_query($sql); > > echo mysql_error() . "\n"; > > > > > > Cheers > > Haig > > I highly recommend you switch to prepared statements and not use > mysql_real_escape_string > > Prepared statements is the right way, and you don't end up with slashes. > > http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html Thanks Michael. I didn't know about prepared statements, I'll check this out and see how it works out. Cheers Haig
