On Sat, Jul 11, 2009 at 6:39 PM, Haig Dedeyan<hdedeyan@xxxxxxxxxxxx> wrote: > On July 11, 2009 10:57:14 am Haig Dedeyan wrote: >> At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote: >> >> [1] >> >> >$fname = mysql_real_escape_string($fname); >> >$lname = mysql_real_escape_string($lname); >> > >> >$sql = "UPDATE phonedir SET fname = '$fname',lname = '$lname' WHERE >> > id=$id"; $result = mysql_query($sql); >> >echo mysql_error() . "\n"; >> > >> >This will result in the addition of the slashes. >> >> [2] >> >> >If I do the following, there are no slashes. Just wondering if I'm on the >> >right path with the 1st code set.. >> > >> >$sql = "UPDATE phonedir SET fname = >> >'".mysql_real_escape_string($fname)."',lname = >> >'".mysql_real_escape_string($lname)."' WHERE id=$id"; >> >$result = mysql_query($sql); >> >echo mysql_error() . "\n"; >> >> Haig: >> >> Interesting, I did not know that -- that sounds like a bug to me -- >> both should be the same. >> >> However, I commonly do [1] and when I have to display the data to a >> browser, then I use htmlentities() and stripslashes() before >> displaying the data. That way names like O'Brian appear correctly -- >> else they appear 0\'Brian. >> >> Now maybe I'm doing something wrong, but this way works for me. If >> there is a better way, I would like to here it. >> >> Cheers, >> >> tedd > > > Thanks Tedd. > > I did more testing and here's what I have found. > > @PHPSter - magic quotes are off > > > Just entering simple data where an apostrophe is part of the data. > > The following code is entering the slash but that's becuase I am escaping it > twice since mysql_num_rows is throwing an error if an apostrophe is in its > search: > > 1 - > $new_fname = mysql_real_escape_string($new_fname); > $new_lname = mysql_real_escape_string($new_lname); > > $result = mysql_query("SELECT * FROM phonedir WHERE fname = '$new_fname' && > lname = '$new_lname'"); > $num_rows = mysql_num_rows($result); > > if($num_rows > 0) > > { > echo $fname." ".$lname." already exists"; > } > > else > { > > mysql_query("INSERT INTO phonedir > (fname, lname) > VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_string($new_lname)."')") > or die(mysql_error()); > > > > > > 2 - If I do the same code above without the mysql_num_rows and no escaping, > the data doesn't get entered. > > I think this is normal behaviour. > > > > > > 3 - If I do any of the 2 following sets of code where there is 1 instance of > escaping, the data gets entered with the apostrophe but I don't see any back > slash entered. > > The part that I am concerned about is if I should be seeing the backslash > entered without having to double escape, > > > $new_fname = mysql_real_escape_string($new_fname); > $new_lname = mysql_real_escape_string($new_lname); > > > $result = mysql_query("SELECT * FROM phonedir WHERE fname = '$new_fname' && > lname = '$new_lname'"); > $num_rows = mysql_num_rows($result); > > if($num_rows > 0) > > { > echo $fname." ".$lname." already exists"; > } > > else > { > > mysql_query("INSERT INTO phonedir > (fname, lname) VALUES('$new_fname','$new_lname')") > or die(mysql_error()); > > > > or > > > mysql_query("INSERT INTO phonedir > (fname, lname) > VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_string($new_lname)."')") > or die(mysql_error()); > > > No offense or anything, but all of this work you've done is immediately mode obsolete the second you switch to prepared statements. They're easier to use and more secure, as well as making code more readable. I don't understand why it's so hard for them to catch on among PHP developers when they're so popular in other languages. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php