mysql_real_escape_string is being ignored

Question

I would really appreciate any help I can get with this.

I am having real trouble with a form and I cant seem to get mysql_real_escape_string to work at all.

I am using MySQL 5.5 with PHP and to test it out I have created a simple form Magic Quotes is not turned on at all.

Using this form:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form name="event_ad" action="test.php" method="post">
    <table>
    <tr>
        <td>Event Name:</td>
        <td><input name="event_name" type="text" size="90" /></td>
    </tr>
    <tr>
        <td>Start Date:</td>
        <td><input name="start_date" type="text" size="90" /></td>
    </tr>
    <tr>
        <td colspan="2" align="center"><input name="Submit" type="submit" id="Submit" value="Add New Event" /></td>
    </tr>
    </table>
</form>
</body>
</html>

Then the data is input nto the table using test.php

<?php
    mysql_connect("localhost","username","password") or die(mysql_error());
    mysql_select_db("databasename") or die(mysql_error());

    $name = $_POST['event_name'];
    $sdate = $_POST['start_date'];
    $name = mysql_real_escape_string($name);

    $sql = "INSERT INTO tblevents (event_name, event_date) VALUES ('" . $name . "','" . $sdate . "')";

    mysql_query($sql);

    echo "success";
?>

(connection details changed)

When I input the Event Name O'Rielly "Smith" it is inserted into the MySQL table as O'Rielly "Smith"

There is no back slashes, no escaping at all.

I really have scoured the internet trying to work this out but it seems that it works for everyone else.

Am I missunderstanding something fundamental here? I would thoroughly appreciate if someone could steer me in the right direction.

This is my first post on this forum, and the html and code formating dont seem to be the same as most forums I have visited, and you cant preview so I hope this turns out OK.

Thanx in advance to any who offer help. Cheers Al.

Answer 1

$name = $_POST['event_name'];
$sdate = $_POST['start_date'];


$db = new mysqli("localhost", "username", "password", "databasename");

$query = "INSERT INTO tblevents (event_name, event_date) VALUES (?, ?)";
$statement = $db->prepare($query);
$statement->bind_param("ss", $name, $sdate);

$statement->execute();
$statement->close();

$db->close();

(I've left out error-checking for connecting)

Answer 2

It has worked fine.

Removing the mysql_real_escape_string will prevent the data being inserted.

Answer 3

Think of escaping as the equivalent of wrapping paper on a birthday present.

You escape data so that any special characters in the data lose their special meaning during the transfer process. Once they're "inside" the target system (html page, database record, etc...), the escaping is no longer necessary, as the place where they could have affected the process is now over.

Same with the wrapped present - once the present is received, you don't need the wrapping paper anymore, so it's removed.

Answer 4

When I input the Event Name O'Rielly "Smith" it is inserted into the MySQL table as O'Rielly "Smith"

That is what is supposed to happen.

Escaping makes the data pass through the query so that the original data ends up in the database. The purpose is not to add extra characters to your stored data, it is to stop characters with special meaning from breaking your SQL.

Answer 5

This is by-design, you shouldn't see any escaped input in your table. It's just for inserting. By using mysql_real_escape_string, your query looks like

INSERT INTO tblevents (event_name, event_date) VALUES ('O\'Rielly \"Smith\"','1.4.2001')";

where these backslashes make sure you don't break the apostrophe

MySQL "deletes" all the backslashes until they're escaped by backslash :)