Escaping quotes twice in PHP

Posted by Genadinik on Stack Overflow See other posts from Stack Overflow or by Genadinik
Published on 2011-03-05T15:19:14Z Indexed on 2011/03/05 15:25 UTC
Read the original article Hit count: 204

Hello,

I have a complicated form where I first have to take some _GET parameters and obviously I have to do a mysql_real_escape_string() on them since I look stuff up in the database with them.

Them problem for me is after the initial db lookup. When the user submits a form, I send them along as a _POST request and obviously have to do this mysql_real_escape_string call again just in case someone tries to hack my site with a faked form submission.

Then the problem I have is the arguments are escaped twice and my queries begin to look strange like this: select field1 , field2 , from my_table where some_id = \'.$lookup_id.\' ...

So the system seems to be adding \' and it is messing me up :) Also, in my other forms I have not seen such behavior. Any ideas on what may be causing this?

One weird thing is that I tried to send unescaped parameters to the post, and the same problem happens. That is a clue, but not a sufficient one for me. :(

Thanks, Alex

© Stack Overflow or respective owner

Related posts about php

Related posts about mysql