escaping for mysql INSERT

[leegold2]

I had a situation where the code:

$descrip_field=addslashes($descrip_field);

Allowed content to be sucessfully insertered into a DB. It worked OK.


But the code:

if (!get_magic_quotes_gpc()) {
$descrip_field = mysql_real_escape_string($descrip_field);
}

Did *not* enabled content to be inserted and caused mysql syntax errors with certain content - I assume this code was not was not properly escaping the content I wanted to insert.

So, to simplify this. Why would cause addslashes() work and the other code (which I see often as a "recommended" way to escape) not work? What PHP server level configs or code level problems could cause one to work and the other to cause me to come into work on Saturday and rip hair until I tried addslashes? What could cause the situation I described.

Thanks

 

[KierenSearle]

Try using PHP's mysql_escape_string function when adding your data to the database.

 

[jpadie]

mysql_real_escape_string needs a link to the database so that it can determine the current character set. it would have worked if you had connected and selected the database, then built the sql string and then run the query (in that order).

if you have to build the string before the connection then I use mysql_escape_string (although this is now deprecated)