this is my code in which i am getting $_POST from a html form.i am using mysql_real_escape_string function that should escape characters like these


but when i enter these special characters in the form .it is going in the database. it should be escaped .i dont why it is happening . please somebody help me !!!!!

$con = mysql_connect("localhost","","");
if (!$con)
  die('Could not connect: ' . mysql_error());

mysql_select_db("finalcomments", $con);

$_POST['name'] = trim($_POST['name']);
$name = mysql_real_escape_string($_POST['name']);

$sql="INSERT INTO $title(name) VALUES 


if (!mysql_query($sql,$con))
  die('Error: ' . mysql_error());
 echo "Your Comment Will be Reviewed";

"mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a."

Do you want them removed ? Just replace them with str_replace .

Sorry i didnt understand you .my english is not so good. All i want to say is when i enter \n in html form , its going to the database but it should be escaped. why it is going to the database ???????

If you see '\n' in the database, that means it is escaped.

it will not cause sql injection , right ??

Nope. But I doubt you want those in a name, so I suggest removing them entirely.

what i understand from "escaping" is ,\n would be deleted whenever i enter \n in the form , isnt it??

then what does really mean by this sentence "mysql_real_escape_string() escape those characters " ??

It makes them ready to be entered correctly into the database.

i still dont understand what this function actually do , is it improve the security or not ??

Yes it does. It escapes a tab character so it is inserted correctly. Otherwise the query could fail. If you want to improve your security, it is wiser to remove them altogether.

so u r saying that in mysql query \n will not be processed , right ?? like, if i enter "aaloo \njack" , mysql query will read it as "aaloo jack" ,\n is escaped , right??

Escaped yes, removed no. Just see what it outputs if you read it back from the database.

yeah i got it , it is sending \n directly to the database without being processed in the query, right ?

thanks man , it was nice to talk with you

Please, consider to mark this thread solved.

ok , i was waiting for your "byee"