tags:

views:

38

answers:

2
+1  Q: 

Today, mysql_real_escape_string() is escaping single quotes AND double quotes. 

$str = 'BEGIN This is a "quote" test. \'Single\' END';
echo $str . "\n";
echo mysql_real_escape_string($str);

// Outputs:
BEGIN This is a "quote" test. 'Single' END
BEGIN This is a \"quote\" test. \'Single\' END

Running PHP 5.3.2 on CentOS. As far as I can remember, mysql_real_escape_string() will only escape single quotes to prevent sql injections. Double quotes have nothing to do with that, because " does not start or end a string literal in MySQL!

This is causing backslashes to get inserted into the data! Something I clearly do not want.

+3  A: 

" does start a string in MySQL. (See: Strings)

Exception:

If the ANSI_QUOTES SQL mode is enabled, string literals can be quoted only within single quotation marks because a string quoted within double quotation marks is interpreted as an identifier.

nikic  2010-08-26 14:14:53
OK I see that now... it seems I had been using addslashes() in my library's escape function. But if I insert this into the database, i.e.`INSERT INTO myTable VALUES ('BEGIN This is a \"quote\" test. \'Single\' END')`will the backslash-double-quote turn into just `"` or will the backslash be carried with it into the data? This means when I get the data out I would have to strip the backslash out.
Michael Butler  2010-08-26 14:21:13
`\"` will be converted to `"` ;)
nikic  2010-08-26 14:23:13
ok thanks nikic I got scared for a second there. something else then is causing backslashes to be inserted in my data. (No it's not magic quotes)
Michael Butler  2010-08-26 14:24:34
A: 

Sounds like magic quotes got turned on.

This post details your problem exactly, along with fixes. http://www.sitepoint.com/forums/showthread.php?t=545824

hopeseekr  2010-08-26 15:56:07
thanks but magic quotes wasn't turned on. the problem actually was that my code was escaping the data twice (once in a local function and again in a library function), which resulted in `"` becoming `\"` and then becoming `\\"` which would become `\"` after insertion into database. The accepted answer cleared my confusion up.
Michael Butler  2010-08-27 16:58:09
well, to be fair, extra quotes is exactly what the problem was. So while I couldn't have fathomed that your code did it elsewhere, i did accurately diagnose the cause, just not the agent ;-)
hopeseekr  2010-08-27 18:35:57
Michael Butler  2010-08-28 15:21:27

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL