Menu
Im using smarty and mysql_real_escape_string() for user input,
and when I insert some code with ' or " , and lookup in phpmyadmin
it shows without backslashes.
When I get record from DB i doesn't have backslashes also. But when I just pass escaped string without inserting into the db it is backslashed.
Shouldn't it add slashes, insert with them and then I would strip them when i would output? Or am I missing something?
794
You're missing it - escaping with backslashes is meant to ensure that queries aren't malformed, e.g. something like this will surely break and possibly risk SQL injections:
insert into table values ('whatever 'this' is')
and nothing will be saved in the table, whereas this:
insert into table values ('whatever \'this\' is')
will save the value "whatever 'this' is" in the table.
82
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
