Escaping data

[Steve09]

I'm using mysql_real_escape_string()
I'm testing it out at the moment, when I apply this to a string and echo it out before it reaches the mysql query to save it into the database, it adds the correct backslashes before " and ' etc, but when these strings are saved into the database, the original string is being stored e.g. o'reilly
When echoing out these strings from the database, o'reilly is obviously being shown.

My question is, should the database be storing for example o\'reilly?
If so, how do I get it to do that? or is what's happening normal?

I'm asking because the o\'reilly is being sent to the mysql query, but why isn't it saving it into the db like this?

Thanks

 

[markeh]

i presume it just escapes them in the query itself rather than affecting what is put in the db, to prevent the query from being hijacked. i doubt it cares what is actually put in the db.

 

[gord]

I would assume that is because it would be a massive pain in the arse.

Pulling out your data and removing backslashes each time, its unnecessary.

 

[NathanT]

It all depends on how you are involving the data at the mysql query does it not?

A ' inside a string quoted with " needs no special treatment and need not be doubled or escaped. In the same way, " inside a string quoted with ' needs no special treatment.

So if your entering your data in the query using " then there is no need for the backslash to be included, and I think the additional escape is removed.



// I could be horribly wrong, I use my own classes for escaping data so dont use mysql_real_escape_string() myself, this could be one thing to investigate