Escaping quotes twice in PHP
Posted
by
Genadinik
on Stack Overflow
See other posts from Stack Overflow
or by Genadinik
Published on 2011-03-05T15:19:14Z
Indexed on
2011/03/05
15:25 UTC
Read the original article
Hit count: 204
Hello,
I have a complicated form where I first have to take some _GET parameters and obviously I have to do a mysql_real_escape_string() on them since I look stuff up in the database with them.
Them problem for me is after the initial db lookup. When the user submits a form, I send them along as a _POST request and obviously have to do this mysql_real_escape_string call again just in case someone tries to hack my site with a faked form submission.
Then the problem I have is the arguments are escaped twice and my queries begin to look strange like this: select field1 , field2 , from my_table where some_id = \'.$lookup_id.\' ...
So the system seems to be adding \' and it is messing me up :) Also, in my other forms I have not seen such behavior. Any ideas on what may be causing this?
One weird thing is that I tried to send unescaped parameters to the post, and the same problem happens. That is a clue, but not a sufficient one for me. :(
Thanks, Alex
© Stack Overflow or respective owner