At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote:
[1]
$fname = mysql_real_escape_string($fname);
$lname = mysql_real_escape_string($lname);
$sql = "UPDATE phonedir SET fname = '$fname',lname = '$lname' WHERE id=$id";
$result = mysql_query($sql);
echo mysql_error() . "\n";
This will result in the addition of the slashes.
[2]
If I do the following, there are no slashes. Just wondering if I'm on the
right path with the 1st code set..
$sql = "UPDATE phonedir SET fname =
'".mysql_real_escape_string($fname)."',lname =
'".mysql_real_escape_string($lname)."' WHERE id=$id";
$result = mysql_query($sql);
echo mysql_error() . "\n";
Haig:
Interesting, I did not know that -- that sounds like a bug to me --
both should be the same.
However, I commonly do [1] and when I have to display the data to a
browser, then I use htmlentities() and stripslashes() before
displaying the data. That way names like O'Brian appear correctly --
else they appear 0\'Brian.
Now maybe I'm doing something wrong, but this way works for me. If
there is a better way, I would like to here it.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
