Shouldn't mysql_real_escape_string() leave slashes in Database?

Im using smarty and mysql_real_escape_string() for user input, and when I insert some code with ' or " , and lookup in phpmyadmin it shows without backslashes.

When I get record from DB i doesn't have backslashes also. But when I just pass escaped string without inserting into the db it is backslashed.

Shouldn't it add slashes, insert with them and then I would strip them when i would output? Or am I missing something?

You're missing it - escaping with backslashes is meant to ensure that queries aren't malformed, e.g. something like this will surely break and possibly risk SQL injections:

insert into table values ('whatever 'this' is')

and nothing will be saved in the table, whereas this:

insert into table values ('whatever \'this\' is')

will save the value "whatever 'this' is" in the table.

来源：https://stackoverflow.com/questions/277575/shouldnt-mysql-real-escape-string-leave-slashes-in-database

标签

php

mysql

escaping

smarty

易学教程内所有资源均来自网络或用户发布的内容，如有违反法律规定的内容欢迎反馈！
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!