PHP mysqli_real_escape_string问题

Question

I have several post variables that I run through the following:

$input_name =  mysqli_real_escape_string($dbc, trim($_POST['input_name']));

I have run several tests where I echo $input_name and other like variables before the insert query executes. The echo indicates that they are indeed getting escaped as they should.

However, when I login to phpmyadmin to look at my entries in the DB, I see that characters that should be escaped are not. Do I have a problem here? Is something happening between my variable declaration and the query that I am not aware of?

Are there php or server settings that could be influencing this?

note: I realize PDO is the way to go, I am just not there at this particular moment.

Answer 1

The *_real_escape_string functions in PHP are only there to prevent SQL injection therefor it will only change " to \\" and ' to \\' so that the following query:

SELECT * FROM users WHERE pass = '' OR '1'='1 --

Will become:

SELECT * FROM users WHERE pass = '\' OR \'1\'=\'1 --

So that the injected value won't work.

Answer 2

The echo indicates that they are indeed getting escaped as they should.

This indicates that your characters are escaped.

when I login to phpmyadmin to look at my entries in the DB, I see that characters that should be escaped are not

Now as you are escaping means that you want to those characters as it is rather than PHP or you database taking them internally as delimiters.

Like if you want ' in your input as it is, so your are escaping it. So now when database(mysql) sees it that is is escaped so it won't considered it as a single quote that is used for string literals in MySQL.

If you don't escape it then MySQL will consider all the part between two ' as string literals.

So everything is fine, don't worry about it.