this is my code in which i am getting $_POST from a html form.i am using mysql_real_escape_string function that should escape characters like these

\x00
\n
\r
\
'
"
\x1a

but when i enter these special characters in the form .it is going in the database. it should be escaped .i dont why it is happening . please somebody help me !!!!!

<?php
$con = mysql_connect("localhost","","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("finalcomments", $con);

unset($name);
if(isset($_POST['name']))
{
$_POST['name'] = trim($_POST['name']);
$name = mysql_real_escape_string($_POST['name']);
}

$sql="INSERT INTO $title(name) VALUES 

('$name')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
 echo "Your Comment Will be Reviewed";
mysql_close($con);
?>
}

"mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a."

Do you want them removed ? Just replace them with str_replace .

Sorry i didnt understand you .my english is not so good. All i want to say is when i enter \n in html form , its going to the database but it should be escaped. why it is going to the database ???????

it will not cause sql injection , right ??

Nope. But I doubt you want those in a name, so I suggest removing them entirely.

what i understand from "escaping" is ,\n would be deleted whenever i enter \n in the form , isnt it??

then what does really mean by this sentence "mysql_real_escape_string() escape those characters " ??

i still dont understand what this function actually do , is it improve the security or not ??

Yes it does. It escapes a tab character so it is inserted correctly. Otherwise the query could fail. If you want to improve your security, it is wiser to remove them altogether.

so u r saying that in mysql query \n will not be processed , right ?? like, if i enter "aaloo \njack" , mysql query will read it as "aaloo jack" ,\n is escaped , right??
?

Escaped yes, removed no. Just see what it outputs if you read it back from the database.

yeah i got it , it is sending \n directly to the database without being processed in the query, right ?

thanks man , it was nice to talk with you

ok , i was waiting for your "byee"

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.