On July 11, 2009 10:57:14 am Haig Dedeyan wrote:
> At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote:
>
> [1]
>
> >$fname = mysql_real_escape_string($fname);
> >$lname = mysql_real_escape_string($lname);
> >
> >$sql = "UPDATE phonedir SET fname = '$fname',lname = '$lname' WHERE
> > id=$id"; $result = mysql_query($sql);
> >echo mysql_error() . "\n";
> >
> >This will result in the addition of the slashes.
>
> [2]
>
> >If I do the following, there are no slashes. Just wondering if I'm on the
> >right path with the 1st code set..
> >
> >$sql = "UPDATE phonedir SET fname =
> >'".mysql_real_escape_string($fname)."',lname =
> >'".mysql_real_escape_string($lname)."' WHERE id=$id";
> >$result = mysql_query($sql);
> >echo mysql_error() . "\n";
>
> Haig:
>
> Interesting, I did not know that -- that sounds like a bug to me --
> both should be the same.
>
> However, I commonly do [1] and when I have to display the data to a
> browser, then I use htmlentities() and stripslashes() before
> displaying the data. That way names like O'Brian appear correctly --
> else they appear 0\'Brian.
>
> Now maybe I'm doing something wrong, but this way works for me. If
> there is a better way, I would like to here it.
>
> Cheers,
>
> tedd
Thanks Tedd.
I did more testing and here's what I have found.
@PHPSter - magic quotes are off
Just entering simple data where an apostrophe is part of the data.
The following code is entering the slash but that's becuase I am escaping it
twice since mysql_num_rows is throwing an error if an apostrophe is in its
search:
1 -
$new_fname = mysql_real_escape_string($new_fname);
$new_lname = mysql_real_escape_string($new_lname);
$result = mysql_query("SELECT * FROM phonedir WHERE fname = '$new_fname' &&
lname = '$new_lname'");
$num_rows = mysql_num_rows($result);
if($num_rows > 0)
{
echo $fname." ".$lname." already exists";
}
else
{
mysql_query("INSERT INTO phonedir
(fname, lname)
VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_string($new_lname)."')")
or die(mysql_error());
2 - If I do the same code above without the mysql_num_rows and no escaping,
the data doesn't get entered.
I think this is normal behaviour.
3 - If I do any of the 2 following sets of code where there is 1 instance of
escaping, the data gets entered with the apostrophe but I don't see any back
slash entered.
The part that I am concerned about is if I should be seeing the backslash
entered without having to double escape,
$new_fname = mysql_real_escape_string($new_fname);
$new_lname = mysql_real_escape_string($new_lname);
$result = mysql_query("SELECT * FROM phonedir WHERE fname = '$new_fname' &&
lname = '$new_lname'");
$num_rows = mysql_num_rows($result);
if($num_rows > 0)
{
echo $fname." ".$lname." already exists";
}
else
{
mysql_query("INSERT INTO phonedir
(fname, lname) VALUES('$new_fname','$new_lname')")
or die(mysql_error());
or
mysql_query("INSERT INTO phonedir
(fname, lname)
VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_string($new_lname)."')")
or die(mysql_error());
