Salt Generation - Issue with Quotes

[Mko]

I have this little snippet of code that runs when a user updates their password:

 

fetch_user_salt_new():

function fetch_user_salt_new($length = 5)
{
$salt_a = '';
for ($i = 0; $i < $length; $i++)
{
	$salt_a .= chr(vbrand(33, 126));
}
return $salt_a;
}

 

$salt = fetch_user_salt_new();
$salt_processed = mysql_real_escape_string($salt);

 

Now, occasionally when a user changes their password (or anything that inserts the salt into the database, such as registration), the salt length stored in the database becomes 6 or 7 instead of 5.

As in, 99% of salts are only 5 digits long, but some salts are longer...

The longer salts normally have odd components, such as \', \", or \\  leading to salts increasing by 1 or 2 digits in length.

 

My idea is that mysql_real_escape_string() is putting a \ in front of quotes which is not what I intended when adding that piece of code in. By adding mysql_real_escape_string() in, I intended for quotes (' or ") to not be factors affecting the Query. Prior to instituting mysql_real_escape_string(), a ' or " would close the query and mess up the insertion of the salt. (Original Topic: http://www.phpfreaks.com/forums/index.php?topic=356368.0 )  It seemed to work but not doesn't

 

 

Any help is very appreciated,

Mark

[kicken]

If your slashes are getting stored in the value, then your doing something wrong which is causing the value to get escaped twice.  Either your running mysql_real_escape_string on the value twice, or maybe using mysql_real_escape_string on the value then inserting it using a prepared statement and binding the value.

 

 

[Mko]

If your slashes are getting stored in the value, then your doing something wrong which is causing the value to get escaped twice.  Either your running mysql_real_escape_string on the value twice, or maybe using mysql_real_escape_string on the value then inserting it using a prepared statement and binding the value.

Yeah I figured out that was it, thanks