Hi all,

I have a question about mysql_real_escape_string. Is it just used for login scripts or is it also used for inserting data to a database. My problem is this:

$connection = mysql_connect("*****", "*****", "*****");
    $database_select = mysql_select_db("*****", $connection);

    $firstname = $_POST['firstname'];
    $lastname = $_POST['lastname'];

    $firstname = stripslashes($firstname);
    $firstname = mysql_real_escape_string($firstname);
    $lastname = stripslashes($lastname);
    $lastname = mysql_real_escape_string($lastname);

    echo "<p>" . $firstname . "</p>";
    echo "<p>" . $lastname . "</p>";

Now if I type quotation marks and so on, the function works fine and it escapes them, but if I update the database using these newly cleaned variables, the slashes are not there! I would use code like the following to update:

$connection = mysql_connect("*****", "*****", "*****");
    $database_select = mysql_select_db("*****", $connection);

    $firstname = $_POST['firstname'];
    $lastname = $_POST['lastname'];

    $firstname = stripslashes($firstname);
    $firstname = mysql_real_escape_string($firstname);
    $lastname = stripslashes($lastname);
    $lastname = mysql_real_escape_string($lastname);

    $result = mysql_query("INSERT INTO members(firstname, lastname) VALUES ('$firstname', '$lastname')", $connection);

Can you see any mistakes as to why it echo's fine but doesn't update the database with the escaped version?


Thanks,


Anthony

Just to bump this, is this command only used for ARGUMENTS in an SQL query, and not actually for escaping data that is being STORED in the database?

I'm confused about when to use addslashes vs any of these mysql commands, which ones are best and in what situations?

This article has been dead for over six months. Start a new discussion instead.