Matt McDonald
Matt McDonald

Reputation: 5050

Problem with mysqli_real_escape_string (and magic quotes is off)

I am having a problem with mysqli_real_escape_string and single quotes.

Anytime an insert takes a value that includes a ' mysqli_real_escape_string replaces it with \' causing the insert to fail.

I do not have magic quotes enabled, which seems to be a common cause of this problem, but still find I get \' and not \' or even \\'

Can anyone tell me what might have gone wrong here?

Upvotes: 0

Views: 1043

Answers (1)

Marc B
Marc B

Reputation: 360732

taking this to an answer since comments are a bit limiting.

So you're generating the query like

$a = mysqli_real_escape_string(... something ...);
$b = mysqli_real_escape_string(... something else ...);

$sql = "INSERT ... VALUES ('$a', '$b')";

?


ok. so let's say this:

$a = "'"; // a is now a single quote: '
$escaped_a = mysql_real_escape_string($a); // should be \' now

$sql1 = "INSERT ... VALUES ('$a' ..."
$sql2 = "INSERT ... VALUES ('$escaped_a' ..."

you should end up with

INSERT ... vALUES (''' ...
INSERT ... VALUES ('\'' ...

The first one is "bad". because of the extra quote. The second is valid.

Upvotes: 2

Related Questions