Storing escaped Strings
Hi all,
Did some searching but cannot find a reason for the inconsistancies I'm seeing.
--------------------------------------------------
So, I have a database where I store people's names. I didn't notice this problem until a user changed their name which included a " ' ". For my example, we'll use the name...
O'Connor
If you enter the name in just like that. mySQL errors out... and rightfully so.
--------------------------------------------------
--------------------------------------------------
If I enter O\'Connor, it is stored in the database as "O'Connor" and when I display the value with php, it is displayed as such "O'Connor"
--------------------------------------------------
--------------------------------------------------
So, to avoid having to remember to escape strings manually, I started using a prepared statement, such as the one below
$stmt = $snoopy->prepare("INSERT INTO employees (dept,fname,lname,ext,cris,email) VALUES (?,?,?,?,?,?)");
$stmt->bind_param('sssiss', $dept, $nfname, $nlname, $ext, $ncris, $nemail);
$nfname = isset($fname) ? $snoopy->real_escape_string($fname) : '';
$nlname = isset($lname) ? $snoopy->real_escape_string($lname) : '';
$ncris = isset($cris) ? $snoopy->real_escape_string($cris) : '';
$nemail = isset($email) ? $snoopy->real_escape_string($email) : '';
$stmt->execute();
$stmt->close();
Only now... O'Connor gets stored in the database as O\'Connor, and when I display the value it includes the slash which is undesired. Why does manually escaping the character not store the slash but using real escape string does?