How insert slash in mysql DB after addslashes()

Question

<?php
$link = mysql_connect('localhost', 'root', 'root')
    OR die(mysql_error());
mysql_select_db('autos') or die('no db');
$bookName = "O'relly";
$user = addslashes($bookName);

$query = "INSERT INTO makes VALUES(null, '{$user}')";
mysql_query($query) OR die(mysql_error());

var_dump($user);

?>

Var dump output is string 'O\'relly' (length=8) But in DB stored as 'O'relly

Looks like Mysql strip slashes before insert in DB. It's true?

What did you think the point of `addslashes` was? It would be rather pointless if it didn't make a difference to the database. Despite that, it is still rather pointless as it isn't adequate protection. If you are going to use manual escaping, use [`mysql_real_escape_string`](http://php.net/manual/en/function.mysql-real-escape-string.php), but you really should use [something that gives you bound paramaters](http://bobby-tables.com/php.html). — Quentin, Feb 06 '12 at 16:57

score 1 · Answer 1 · answered Feb 06 '12 at 16:51

1

SQL doesn't strip the backslash, it interprets it (properly) when parsing your command. Without the slash, SQL would see

INSERT INTO makes VALUES(null, 'O'relly')

which is the string 'O' followed by a syntax error. (Or worse: this can be exploited for the dread "sql injection attack").

In short, this is working as intended.

answered Feb 06 '12 at 16:51

alexis

48,685
16
101
161

Ok, but if I added 'O\'relly' in DB will be O'relly – Yaroslav Feb 06 '12 at 18:06
Yes, that's what it's meant to do. Why don't you tell us what you *want* to add to the database, and we can tell you how to do it. – alexis Feb 15 '12 at 18:27

How insert slash in mysql DB after addslashes()

1 Answers1