In our last episode,
<47eb73b5$0$90275$14726298@news.sunsite.dk>,
the lovely and talented ndlarsen
broadcast on comp.lang.php:

> Lars Eighner wrote:

>> See the best practices example in the article on mysql_real_escpae_string in
>> the manual. For portability you need to check for whether magic quotes are
>> on and reverse them if they are. If portability is not a concern and it is
>> your own machine, you can turn magic quotes off and save a few steps.

> I appreciate your reply. What baffles me is that is seems
> mysql_real_escape_string() is only run on the values one is using for a
> given database query, not the data inserted into the database.

This is not in fact so. "Query" is often used for any preparted statement
for a database. It does not really mean the statement will necessarily
return information from the database. In the best practices example,
the "query" is actually an INSERT statement, so indeed
mysql_real_escape_string does work on the data to be entered in the
database, not on the query string as a whole.

The example uses sprintf. If you are not familiar with other languages
which use similar functions, you may not understand this. You can apply
mysql_real_escape_string directly to the values and concatonate them into the
query string.


> So there is no change made to the data in the database and there is no
> reason to run a function in order to strip the data of slashes? Is this
> so?

This is not so. Although in plain English "query" means a question, the
'query string' is a database instruction, which may be an INSERT or UPDATE
instruction that enters data in the data base.


--
Lars Eighner <http://larseighner.com/> usenet@larseighner.com
Countdown: 299 days to go.