I have to escape some inputs on a form. I used mysql_real_escape_string to escape the value but it adds a lot slashes with value inside database, the reason is i have an apostrophe in my input let us say exp's.
Now to get rid of slashes, I use stripslashes after mysql_real_escape_string and then data goes to database successfully and don't see any apostrophe with value in database.
$name = mysql_real_escape_string(trim($_POST['userame']));
$name = stripslashes(stripslashes($userame));
// then data goes to db successfully without apostrophe
I just wanted to confirm, is this correct way of escaping the input value? Thanks
Dayan
mysql_real_escape_string(stripslashes($_POST['username']));
No it's not. Check your php.ini for the magic_quotes_gpc
setting. If you can't disable it use stripslashes BEFORE using mysql_real_escape_string
. The link has a method to strip it globally from $_POST
, $_GET
and $_COOKIE
. Or even better, use prepared statements with PDO
If you have magic_quotes_gpc enabled you should use the stripslashes() function before escaping - otherwise you will escape twice, thus loads of slashes.
http://se.php.net/manual/en/function.mysql-real-escape-string.php
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.