Reputation: 5050
I am having a problem with mysqli_real_escape_string and single quotes.
Anytime an insert takes a value that includes a ' mysqli_real_escape_string replaces it with \' causing the insert to fail.
I do not have magic quotes enabled, which seems to be a common cause of this problem, but still find I get \' and not \' or even \\'
Can anyone tell me what might have gone wrong here?
Upvotes: 0
Views: 1043
Reputation: 360732
taking this to an answer since comments are a bit limiting.
So you're generating the query like
$a = mysqli_real_escape_string(... something ...);
$b = mysqli_real_escape_string(... something else ...);
$sql = "INSERT ... VALUES ('$a', '$b')";
?
ok. so let's say this:
$a = "'"; // a is now a single quote: '
$escaped_a = mysql_real_escape_string($a); // should be \' now
$sql1 = "INSERT ... VALUES ('$a' ..."
$sql2 = "INSERT ... VALUES ('$escaped_a' ..."
you should end up with
INSERT ... vALUES (''' ...
INSERT ... VALUES ('\'' ...
The first one is "bad". because of the extra quote. The second is valid.
Upvotes: 2