Posted by Gleep on 03/24/07 03:27

On Fri, 23 Mar 2007 20:09:57 GMT, "Simon Harris" <too-much-spam@makes-you-fat.com> wrote:

>Hi All,
>
>I am using mysql_real_escape_string() on strings before they are entered
>into mySQL. This has worked Ok, but when I get the information out,
>single/double quotes are preceeded with a \ (Escaped) so,
>"Something in quotes" becomes \"something in quotes\"
>
>Do I need to replace \" with " before I print the string to the page? Or am
>I missing something? Is there an opposite to mysql_real_escape_string() that
>I should call on the string when reading the data from mySQL? Or perhaps I
>have totally missed the point of this function? :)
>
>Any help/suggestions muchly appreciated!
>
>Simon.
>
>--



I wrote up this function to prevent sql injections
i didn't test it - but it should work

function cleanVar($str) {
if(is_numeric($str))
return $str;
else {
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
if(function_exists('mysql_real_escape_string'))
return mysql_real_escape_string($str);
elseif(function_exists('mysql_escape_string'))
return mysql_escape_string($str);
else
return addslashes($str);
} // end magic
} // end numeric
} // end function


// example usage
$query = "UPDATE users SET name=". cleanVar($name) .", id=". cleanVar($id) ." ";

[Back to original message]