Using stripslashes after mysql_real_escape_string
Question
I have to escape some inputs on a form. I used mysql_real_escape_string to escape the value but it adds a lot slashes with value inside database, the reason is i have an apostrophe in my input let us say exp's.
Now to get rid of slashes, I use stripslashes after mysql_real_escape_string and then data goes to database successfully and don't see any apostrophe with value in database.
$name = mysql_real_escape_string(trim($_POST['userame']));
$name = stripslashes(stripslashes($userame));
// then data goes to db successfully without apostrophe
I just wanted to confirm, is this correct way of escaping the input value? Thanks
Dayan
3 answers
solution1
3 ACCPTED 2012-07-02 14:01:33
- 禁用魔术引号
-
mysql_real_escape_string(stripslashes($_POST['username']));
solution2
2 2012-07-02 14:01:06
No it's not. Check your php.ini for the magic_quotes_gpc setting. If you can't disable it use stripslashes BEFORE using mysql_real_escape_string . The link has a method to strip it globally from $_POST , $_GET and $_COOKIE . Or even better, use prepared statements with PDO
solution3
0 2012-07-02 14:04:30
If you have magic_quotes_gpc enabled you should use the stripslashes() function before escaping - otherwise you will escape twice, thus loads of slashes.
http://se.php.net/manual/en/function.mysql-real-escape-string.php
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.