Could someone explain why I need to use mysql_real_escape_string ??

[djbeta]

Hi,

Could someone explain why it is that you need to use the mysql_real_escape_string function ? i.e. tell me exactly what it does ?

I'm reading a book about MySQL/PHP I'm at a section where the author introduces this function.. but he doesn't really give an explanation of what exactly the function does.

 

[djbeta]

I should mention, that I read this explanation from the php manual:

This function will escape the unescaped_string, so that it is safe to place it in a mysql_query().

But.... I guess I don't understand what it means to escape it.. nor do I understand why it is unsafe to place an unescaped string into a query..

sorry to be such an ignoramus !!!
thank you for your time.

 

[djbeta]

Okay... I proceeded with reading even though I didn't understand and found an explanation of why this function needs to be used a few pages later -- thanks author.

It says "without the use of this function and without Magic Quotes on, a common name like O'Malley will generate a MySQL error."

B U T . . .

I tested this with a registration script I wrote that didn't include the use of this function. And guess what, it allowed me to submit O'Reilly, and O"Reilly and #$#$@#%@#%@#!#% without a problem and no MySQL error..

so now I know for what this function is intended... but, do I *need* to use it ?? what's the deal.. does my version of php/mySQL have things built in ?

my setup is MySQL 4.0.18 PHP 4.3.10


Thanks again.

 

[sleipnir214]

If your test did not cause problems, then your installation has Magic Quotes set to "on". The next PHP installation you work with may have this value set to "off", in which case the apostrophe in "O'Malley" will cause the query to barf.

The manual is assuming a worst-case scenario. It's still a good idea to continue using it, if for no other reason than it's a good programming habit to get into.


Want the best answers? Ask the best questions!

TANSTAAFL!!