Topic: user form input: mysql_real_escape_string

hi all.  i have a punbb mod that uses a form to store user input in mysql.  i want to sanatize user input.  i'm trying to use mysql_real_escape_string but the special characters don't seem to be prepended by backslashes.  i view the data i purposely use special charactors in via phpmyadmin and the characters are not prepended.  should i see the backslashes there or am i thinking about this incorrectly?

from http://www.nyphp.org/phundamentals/stor … ieving.php

The resulting SQL statement will look like this:

    INSERT INTO MyTable (MyColumn) VALUES ('My Dear Aunt Sally's Picnic Basket')
   

Notice that we now have three single quotes. The database engine will see the first single quote, the value My Dear Aunt Sally and will then see the second single quote. It will assume that the phrase s Picnic Basket') is part of -- what? The database engine doesn't know. It will then generate an error.

yet when i do something similar i don't get an error.  Sally's goes right into my db.  i am completely confused as to whether or not i have mysql_real_escape_string working correctly or not.

as a side note, does punbb have special functions i should use instead?  i see things like pun_trim($str) but i'm not sure where it would be best to use them.  are there any docs on these beasties?

thanks for any tips!

Re: user form input: mysql_real_escape_string

Well, the DB uses it to escape. It finds a \, removes it and handles whatever comes next as part of that string. They shouldn't be seen in phpMyAdmin.

Re: user form input: mysql_real_escape_string

ah.  i get it now.  thanks man.

just for fun i removed mysql_real_escape_string and was able to cause an error.  so it's working properly.  for some reason i thought i would see the escapes.  doh!