Posted by Good Man on 02/23/07 23:02

MattMika <mattmika@hotmail.com> wrote in
news:t9out25kee9hgnn14r965n7nrcff37pqdq@4ax.com:


> When I execute an insert of $_POST["description"]; with the value
> O'Reilly
>
> - without mysql_real_escape_string() I get a SQL syntax error near the
> single quote.
>
> - with mysql_real_escape_string() the field is written as O'Reilly in
> the db field.
>
> I was under the impression that escaped strings would be written to
> the DB like O/'Reilly, but its not.

Hi

It's working as it should. It's escaping the single quote because as
you noted in your first point, it causes a syntax error because MySQL
interprets it as part of a command/instruction to the database.

The escape slash is there strictly for MySQL to recognize the single
quote as a part of the data you are inserting, not as part of the
command you are sending to MySQL.

You really wouldn't want "O/'Reilly" as a name in your database table if
the persons real name is "O'Reilly", would you? Then you would have to
call stripslashes(); when calling *all* your data!!!! And that would
certainly mess things up if a value in your table was "Sleater/Kinney".

As an aside, just note that if you call mysql_real_escape_string
directly on an array, it will mess up your array; use it on the VALUES
in the array as opposed to the array itself.

[Back to original message]