0
<?php
$link = mysql_connect('localhost', 'root', 'root')
    OR die(mysql_error());
mysql_select_db('autos') or die('no db');
$bookName = "O'relly";
$user = addslashes($bookName);

$query = "INSERT INTO makes VALUES(null, '{$user}')";
mysql_query($query) OR die(mysql_error());

var_dump($user);

?>

Var dump output is string 'O\'relly' (length=8) But in DB stored as 'O'relly

Looks like Mysql strip slashes before insert in DB. It's true?

Yaroslav
  • 45
  • 1
  • 1
  • 7
  • 1
    What did you think the point of `addslashes` was? It would be rather pointless if it didn't make a difference to the database. Despite that, it is still rather pointless as it isn't adequate protection. If you are going to use manual escaping, use [`mysql_real_escape_string`](http://php.net/manual/en/function.mysql-real-escape-string.php), but you really should use [something that gives you bound paramaters](http://bobby-tables.com/php.html). – Quentin Feb 06 '12 at 16:57

1 Answers1

1

SQL doesn't strip the backslash, it interprets it (properly) when parsing your command. Without the slash, SQL would see

INSERT INTO makes VALUES(null, 'O'relly')

which is the string 'O' followed by a syntax error. (Or worse: this can be exploited for the dread "sql injection attack").

In short, this is working as intended.

alexis
  • 48,685
  • 16
  • 101
  • 161