Posted by mun on 03/15/07 04:41

when magic_quotes_gpc = off, what is the difference between
addslashes($var) and my_real_escape_string($var).

I use a function from php manual like this:

function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not integer
if (!is_numeric($value)) {
$value = " ' " . mysql_real_escape_string($value) . " ' ";
}
return $value;
}


I use it with a select query like this: "select * from table where id
= ".quote_smart($_GET["id"]) and it doesn't work (no result returned).
But when I replace the quote_smart function with the normal addslashes
function, it works. (my default magic_quotes_gpc = off)

[Back to original message]