0

this is my code in which i am getting $_POST from a html form.i am using mysql_real_escape_string function that should escape characters like these

\x00
\n
\r
\
'
"
\x1a

but when i enter these special characters in the form .it is going in the database. it should be escaped .i dont why it is happening . please somebody help me !!!!!

<?php
$con = mysql_connect("localhost","","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("finalcomments", $con);

unset($name);
if(isset($_POST['name']))
{
$_POST['name'] = trim($_POST['name']);
$name = mysql_real_escape_string($_POST['name']);
}

$sql="INSERT INTO $title(name) VALUES 

('$name')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
 echo "Your Comment Will be Reviewed";
mysql_close($con);
?>
}

Edited by aaloo: n/a

2
Contributors
19
Replies
20
Views
5 Years
Discussion Span
Last Post by pritaeas
0

"mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a."

Do you want them removed ? Just replace them with str_replace .

Edited by pritaeas: n/a

0

Sorry i didnt understand you .my english is not so good. All i want to say is when i enter \n in html form , its going to the database but it should be escaped. why it is going to the database ???????

Edited by aaloo: n/a

0

what i understand from "escaping" is ,\n would be deleted whenever i enter \n in the form , isnt it??

0

then what does really mean by this sentence "mysql_real_escape_string() escape those characters " ??

0

i still dont understand what this function actually do , is it improve the security or not ??

0

Yes it does. It escapes a tab character so it is inserted correctly. Otherwise the query could fail. If you want to improve your security, it is wiser to remove them altogether.

0

so u r saying that in mysql query \n will not be processed , right ?? like, if i enter "aaloo \njack" , mysql query will read it as "aaloo jack" ,\n is escaped , right??
?

0

yeah i got it , it is sending \n directly to the database without being processed in the query, right ?

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.