MySQL real escape string

php mysql sanitization mysql-real-escape-string apostrophe
user490895 picture user490895 · Jan 7, 2011 · Viewed 23.6k times · Source

I was trying to sanitize inputs to my PHP login using addslashes and mysql_real_escape_string. Using addslashes works, but mysql_real_escape_string will not.

Here's an example of what allows me to log in correctly:

$user = addslashes($_POST['user']);<br/>
$password = addslashes($_POST['password']);

And this will not:

$user = mysql_real_escape_string($_POST['user']);<br/>
$password = mysql_real_escape_string($_POST['password']);

Also, some of my other fields contain apostrophes. Nothing is returned when using addslashes, since the entry in the DB isn't escaped. I was wondering if using mysql_real_escape_string could fix this, but I don't know how.

Answer

Calum picture Calum · Jan 7, 2011

Always use mysql_real_escape_string instead of addslashes. Make sure you are connected to the database before running it otherwise you will error.

Related questions

function to sanitize input to Mysql database

I am trying to put a general purpose function together that will sanitize input to a Mysql database. So far this is what I have: function sanitize($input){ if(get_magic_quotes_qpc($input)){ $input = trim($input); // get rid of …

Read More
What is "enough sanitization" for a URL

The URL would be Saved to a MySQL database Used to display a picture on the user's profile would strip_tags() and mysql_real_escape_string() be enough?

Read More
How do I properly sanitize data received from a text area, when outputting it back into the text area?

A user will input text in a textarea. It is then inserted directly into a mySQL database. I use trim, htmlentities, mysql_real_escape_string on it and I have magic quotes enabled. How should I sanitize it when outputting …

Read More