Should mysql_real_escape_string () leave slashes in the database?

Question

Should mysql_real_escape_string () leave slashes in the database?

Im using smarty both mysql_real_escape_string()for user input, and when I paste the code with 'or ", as well as searching in phpmyadmin it shows no backslash.

When I get a record from the database, I also have no backslashes. But when I just pass the escaped string without pasting in db it is inverse.

You should not add slashes, paste with them, and then I strip them when I output? Or am I missing something?

+3

php mysql escaping smarty

Chris Nov 10 '08 at 10:43

source share

1 answer

pilsetnieks · Accepted Answer · 2008-11-10T11:03:30+0000

This is not enough for you - escaping with backslashes means that the queries are not distorted, for example. something like this will definitely break and possibly risk SQL injection:

insert into table values ('whatever 'this' is')

, :

insert into table values ('whatever \'this\' is')

" 'this'" .

Should mysql_real_escape_string () leave slashes in the database?

More articles: