Why use mysql_real_escape_string () since $ _POST automatically adds slashes before the quote?

Question

Why use mysql_real_escape_string () since $ _POST automatically adds slashes before the quote?

In PHP, $ _POST adds slashes before the quote automatically, so why bother using mysql_real_escape_string ()? For example, when I 'rrrtyped in the input field, and I get \'rrrwhen I echo it.

+3

post php escaping quotes mysql-real-escape-string

Steven Nov 17 '09 at 9:45

source share

3 answers

mysql_real_escape_string , , .
PHP POSTed-, magic_quotes, ( , real_escape_string!)

+6

Ciaran McNulty 17 . '09 9:47

PHP 5.3.0 PHP 6.0.

: , PHP .

+3

wallyk 17 . '09 9:50

fresskoma · Accepted Answer · 2009-11-17T09:48:15+0000

Because this only happens if MacigQuotes is included in your php configuration, which, as far as I know, is quite rare at the present time. In addition, mysql_real_escape_string also avoids other MySQL related characters.

http://php.net/manual/en/security.magicquotes.php .

, , ^^

: , xampp php.ini , , :

; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

Why use mysql_real_escape_string () since $ _POST automatically adds slashes before the quote?

More articles: