On an older server I'm using that I can't use prepared statements on I am currently trying to fully escape user input before sending it to MySQL.For this I am using the PHP function \[code\]mysql_real_escape_string\[/code\].Since this function does not escape the MySQL wildcards % and _ I am using \[code\]addcslashes\[/code\] to escape these as well.When I send something like:\[code\]test_test " ' \[/code\]to the database and then read it back the database shows:\[code\]test\_test " ' \[/code\]Looking at this I can't understand why the _ has a preceding backslash but the " and ' don't.Since they are all escaped with \ surely _ ' and " should all appear the same, i.e. all have the escape character visible or all not have it visible.Are the escaping \s automatically screened out for Can anyone explain this?
Escaping MySQL wild cards
- Thread starter saraeagle
- Start date