ecabrera Posted March 31, 2012 Share Posted March 31, 2012 the mysql_real_escape_string does not add slashes when it enter my db y if(isset($_POST['submitbtn'])){ //will open up the db connection require_once"../includes/connect.php"; $errors = ""; $welcometitle = mysql_real_escape_string($_POST['welcometitle']); $welcomesection = mysql_real_escape_string($_POST['welcomesection']); $infotitle = mysql_real_escape_string($_POST['infotitle']); $infosection = mysql_real_escape_string($_POST['infosection']); $videotitle = mysql_real_escape_string($_POST['videotitle']); $videosection = mysql_real_escape_string($_POST['videosection']); if(isset($welcometitle, $welcomesection) && !empty($welcometitle) && !empty($welcomesection)){ if(isset($infotitle, $infosection) && !empty($infotitle) && !empty($infosection)){ if(isset($videotitle, $videosection) && !empty($videotitle) && !empty($videosection)){ //adding them to the db //adding them to the db $query = mysql_query("UPDATE `home` SET `welcometitle`= '$welcometitle', `welcomesection`= '$welcomesection', `infotitle`='$infotitle', `infosection`= '$infosection',`videotitle`= '$videotitle',`videosection`= '$videosection'") or die(mysql_error()); header("location: http://www.website.org/control/edithome"); }else{ $errors = "Please fill in the Video Section"; } }else{ $errors = "Please fill in the Info Section"; } }else{ $errors = "Please fill in the Welcome Section"; } mysql_close();//will close the inlcude db connection } ?> Quote Link to comment Share on other sites More sharing options...
AyKay47 Posted March 31, 2012 Share Posted March 31, 2012 it won't Quote Link to comment Share on other sites More sharing options...
ecabrera Posted March 31, 2012 Author Share Posted March 31, 2012 y isn't it suppose to help sql injeion Quote Link to comment Share on other sites More sharing options...
trq Posted March 31, 2012 Share Posted March 31, 2012 Are you expecting the slashes to show up in your database? because they won't and it's not meant to. It simply escapes special chars on the way into the database. Quote Link to comment Share on other sites More sharing options...
ecabrera Posted March 31, 2012 Author Share Posted March 31, 2012 oh so whould i have to use the addslashes php function Quote Link to comment Share on other sites More sharing options...
trq Posted March 31, 2012 Share Posted March 31, 2012 No. You don't want slashes stored in your database. The idea is no different to escaping quotes within a quoted string. echo 'This is some text with \'quotes\' in it.'; You don't expect the backslashes to show up when you echo this. The same theory applies to mysql_real_escape_string. You don't want the actual slashes stored in your database. Quote Link to comment Share on other sites More sharing options...
ecabrera Posted March 31, 2012 Author Share Posted March 31, 2012 ok so why is it that i can stored this <iframe width="280" height="280" src="http://www.youtube.com/embed/kl_etatm2BYH0?feature=player_embedded" frameborder="0" allowfullscreen></iframe> Quote Link to comment Share on other sites More sharing options...
trq Posted March 31, 2012 Share Posted March 31, 2012 Why wouldn't you be able to store it? Quote Link to comment Share on other sites More sharing options...
Nasir Posted March 31, 2012 Share Posted March 31, 2012 Your Simply Escaping the Single Quotes In Order To Prevent SQL Injection, What You Are Talking Is About Is Sanitizing Your Data From Any Script Injection Through POST/GET Or However Your Handling Data From Your Users. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.