MySQL_real_escape_string doesn't add slashes?

Question

MySQL_real_escape_string doesn't add slashes?

So, I am doing this:

<?php session_start(); include("../loginconnect.php"); mysql_real_escape_string($_POST[int]); $int = nl2br($_POST[int]); $query = "UPDATE `DB`.`TABLE` SET `interests`='$int' WHERE `user`='$_SESSION[user]'"; mysql_query($query) or die(mysql_error()); mysql_close($con); ?>

And let's say that $ _POST [int] is the "Foo" panel. The single quote stays the same And I get a MySQL error when running the script due to a quote. What's wrong?

+1

string php mysql escaping

user569322 Jul 08 '11 at 17:13

source share

3 answers

In the query, you are not using the mysql_real_escape_string results. Try to do this:

 $int = nl2br(mysql_real_escape_string($_POST[int]););

+2

Paul Sonier Jul 08 2018-11-18T00:

source share

You must use prepared statements. It has a little learning curve on mysql_ * functions, but it is worth it in the end.
You must specify your own lines, for example $ _POST ['int'] instead of $ _POST [int].
At the top of the file, specify error_reporting (-1);

0

Mike Jul 08 2018-11-11T00:

source share

Marc B · Accepted Answer · 2011-07-08 17:15

m_r_e_s () RETURNS a shielded value; it does not change the original.

 $int = mysql_real_escape_string($_POST['int']); $query = "UPDATE ... interests = '$int' ...";

Note that I have added quotes around int to the POST value. Without quotes, PHP sees this as a constant value (e.g. define ()). If he does not find the constant of this name, he politely assumes that you mean that he is using a string and is configured accordingly, but will issue a warning. If you did

 define('int', 'some totally wonky value');

earlier, then you will get access to the wrong POST value because PHP will see it as $_POST[some totally wonky value] .

MySQL_real_escape_string doesn't add slashes?

More articles: