Rob Marscher wrote:
On Jul 26, 2007, at 3:34 PM, David Krings wrote:
For simplicty reasons I want to store an entire file path in a field.
Since this is on windows, the \ in the path name causes problems.
There might be also other SQL unfriendly characters in there.
I once came across this and escape the string, but then when using
stripslashes all slashes were gone
I assume you are using the php mysql functions directly and not some
other db library, right?
Here's what you want:
$filepath-db-escaped = mysql_real_escape_string($filepath);
This escapes it on it's way into the database and the database knows at
that point to remove the extra slashes and other escape characters that
were added via mysql_real_escape_string. So no need to call an extra
stripslashes or anything like that after you retrieve it from the database.
So, you are saying when I use mysql_real_escape_string() I do not have
to use stripslashes when pulling the stuff out with a SELECT? Gee, I
didn't know that. I use mysql_real_escape_string all the time except for
those cases where I know I will have important slashes in the string (as
is the case with a file path).
mysql_real_escape_string is preferred over addslashes because it
additionally escapes some unicode characters and other ways that people
have found to inject sql code even when addslashes is applied.
I heard about that, since addslashes adds the escaping based on other
rules, whereas mysql_real_escape_string also takes care of anything
characterset related, which is why one first has to connect to MySQL,
otherwise it won't work.
I'll give that a try.
Thanks!
David
_______________________________________________
New York PHP Community MySQL SIG
http://lists.nyphp.org/mailman/listinfo/mysql
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
