|
Posted by "bruce" on 10/19/78 11:27
one more question/issue...
the mysql_real_escape function escapes with a'\' which works for mysql, but isn't standard ansi... is there another function that does the same thing, but uses the ansi standard "'". also, if there is another function, does it also work with mysql??
thanks
-bruce
-----Original Message-----
From: Jasper Bryant-Greene [mailto:jasper@bryant-greene.name]
Sent: Thursday, September 22, 2005 4:39 PM
To: php-general@lists.php.net
Subject: Re: [PHP] basic user/input form questions... more validation!
bruce wrote:
> not sure i agree with this one.. if i put "foo \' cat" in a db tbl...
> i expect that i'll get the same out... which is what some of the articles
> i've seen have stated.. are you telling me, and are you sure, that i'd get
> "foo ' cat" out instead!!????
>
> the articles i've seen imply that if you addslashes, you also need to
> stripslashes on the backend...
With all due respect, you are demonstrating a fundamental lack of
understanding of the principle of escaping anything...
The point of escaping the quote mark is so that it looks *exactly like a
quote mark* to MySQL, rather than like the delimiter for a string value.
MySQL treats the character sequence \' as ' when inside a string value.
When you SELECT the data at the other end, MySQL will not give you the
slashes, because the slashes are not stored in the database table.
If you do run stripslashes() on the output, you will lose data in some
situations. So don't.
Hope that made sense and helped...
--
Jasper Bryant-Greene
Freelance web developer
http://jasper.bryant-greene.name/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Back to original message]
|