2

I have the following data as an example:

$a = addslashes('hello\'s');
$b = serialize($a);

// As you know, $b looks like this s:8:"hello\'s";

Now when I insert $b to MySQL, the data now looks like this s:8:"hello's" inside MySQL. MySQL removes the \ and now I have an invalid serialized data.

What's the best way to fix this? Thanks

Improve this question
1
  • I don't think there's an escape() function in PHP Commented Aug 11, 2011 at 15:29

5 Answers 5

Reset to default
6

For escaping parameters to go into an SQL query you do not use addslashes, but mysql_real_escape_string.

Example: 

<?php
  $param = mysql_real_escape_string($_GET['param']);
  $query = "SELECT f1, f2 FROM atable WHERE f3 = '$param' ";
  // these single quotes here are essential !!   ^      ^ 
  // if you leave out the quotes you **will** suffer SQL-injection.

This is the correct way to escape SQL-parameters.
Or even better use PDO with prepared statements, then you don't have to escape at all.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

addslashes are generaly to be avoided, in my opinion... +1
use PDO, then you don't have to escape at all - a misleading statement, unless you replace PDO with prepared statements.
It is better to use parametized query. With your solution, there is still a risk (low, but present) of SQL injection.
@JMichelB, please give an example of this.
3

First serialize the value you want and then use the mysql_real_escape_string. That's the string you are going to put in the database after all. Try to avoid addslashes...

If you don't want to have an active connection at the time, try this function:

function mysql_escape_no_conn( $input ) { 

    if( is_array( $input ) ) {
        return array_map( __METHOD__, $input ); 
    }
    if( !empty( $input ) && is_string( $input ) ) { 
        return str_replace( array( '\\', "\0", "\n", "\r", "'", '"', "\x1a" ), 
                            array( '\\\\', '\\0', '\\n', '\\r', "\\'", '\\"', '\\Z' ),
                            $input ); 
} 

return $input;

}

Improve this answer

3 Comments

mysql_real_escape_string() asks for a connection upfront, is there a way to use it before connecting to the database? I like to format my data first before I connect to the MySQL.
Edited my answer according to your needs, which, by the way, I don't approve of... :)
-1, Rolling your own mysql_real_escape_string is a bad bad idea.
0

use mysql_real_escape_string function!

Improve this answer

Comments

0

As others have said, mysql_real_escape_string() should be called!

I just wanted to add that I always find it safe to base64_encode() all serialized arrays/objects I store in a database. All you then have to do is call base64_decode() upon retrieval of the stored value. I do this because ; and other characters are liable to cause "Warning: Error at offset..." errors.

Improve this answer

Comments

0

You need to escape the string in $b by using mysql_real_escape_string().

$a = addslashes('hello\'s');  
$b = serialize($a);  
$sql = "UPDATE `table` SET `field`='".mysql_real_escape_string($b)."'" ;

You should always escape input into a db to stop SQL injection.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.