realEscapted_inpuBox

dotJoon · December 4, 2010, 1:46am

[b]code[/b]

<?php
echo "inputBox: ".$inputBox."<br>";
$realEscapted_inputBox=mysql_real_escape_string(trim($_POST['inputBox']));
echo "realEscapted_inputBox: ".$realEscapted_inputBox
?>

[b]result[/b]

inputBox: [COLOR="Red"]myText[/COLOR]
realEscapted_inputBox: [COLOR="red"]myText[/COLOR]

If the value of the inputBox is same as the value of realEscapted _inputBox, what is "mysql_real_escapge_string needed for?

How can I recognize the difference between plain inputBox and realEscapted_inputBox?

system · December 4, 2010, 1:51am

the answers to your questions are in the manual.

I don’t have time to copy and paste them here.

dotJoon · December 4, 2010, 2:04am

If binary data is to be inserted, this function must be used.
The quote above is from http://php.net/manual/en/function.mysql-real-escape-string.php

I think “0100”, “1010”, etc, are binary data.

What is binary data in the above?

Does it mean that an unfriendly user can send binary data through a form box?

Jay_P · December 4, 2010, 4:27am

“mysql_real_escape_string — Escapes special characters in a string for use in an SQL statement”

There’s no special characters in myText, what do you expect to have changed?

dotJoon · December 4, 2010, 1:01pm

Ah, when there are special character, realEscapted do work.
when there is no special character. realEscapted doesn’t work.
Thank you.

As I test it
I found that “<” and “>” are special characters.

What other special characters are there?

Raju_Gautam · December 4, 2010, 3:58pm

In general meaning, this function escapes those characters which can also be used in the SQL statements. To understand the real use of it try passing single quotes with the value like “myText’s value” then try to insert it to the database:


$value = "john's name is John Smith";
mysql_query("insert into tbltest set name='$value'") or die(mysql_error());

$value = mysql_real_escape_string("john's name is John Smith");
mysql_query("insert into tbltest set name='$value'") or die(mysql_error());

Try running above two queries and find the use of mysql_real_escape_string().

dotJoon · December 5, 2010, 12:06am


$value = "john's name is John Smith";
mysql_query("insert into tbltest set name='$value'") or die(mysql_error());

the code above causes SQL error while the code below successfully inserts the value to DB.

$value = mysql_real_escape_string("john's name is John Smith");
mysql_query("insert into tbltest set name='$value'") or die(mysql_error());

mysql_real_escape_string() is cool.
it can insert apostrophe and prevent the opening tag “<” and closing tag “>”.

I guess I should do it to every user-submit data.

Raju_Gautam · December 5, 2010, 3:47am

:tup: