Question

In PHP, $_POST add slashes before a quotation mark automatically, so why bother applying mysql_real_escape_string()? For example, when I input rrr in an input field, and I get rrr when I echo it.

Answer 1

Because that only happens if MacigQuotes is enabled in your php configuration, which, as far as I know, is fairly uncommon nowadays. Also, mysql_real_escape_string also escapes other MySQL related characters.

Check out http://php.net/manual/en/security.magicquotes.php for more information on magic quotes.

As you can see, there already is a deprecation warning for this directive, so you should check your server configuration anyway^^

Edit: To disable magic quotes, search in your xampp folder for the php.ini, and add, or change if present, the following directives:

; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape   with    instead of  ).
magic_quotes_sybase = Off

Answer 2

mysql_real_escape_string escapes more than just single-quotes, because there are other chars that can cause injection issues.
PHP only adds slashes to POSTed input if magic_quotes is enabled, which is considered bad practice (because it leads to laziness and not using things like real_escape_string!)

Answer 3

Magic quotes was deprecated as of PHP 5.3.0 and is obsolete as of PHP 6.0.

Edit: So the auto slashes can t be relied on because they are deprecated by most PHP installations, and soon will not work at all.

友情链接