mysql_real_escape not working

Hi

I have the following function and have added the mysql_real_escape to try and stop sql injection but it nots working.
If I enter some ' ' into the form field and then look into my database. The ' ' are still there with no backslashes.

Anyone see the problem ?


function insertintodatabase() {

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Get values from form
$department=$_POST['department'];
$name=$_POST['yourname'];
$email=$_POST['emailaddress'];
$phone=$_POST['phonenumber'];
$comments=mysql_real_escape_string($_POST['enquiry']);
$optin=$_POST['salesoptin'];

// Insert data into mysql
$sql="INSERT INTO $tbl_name(Department, Full_Name, Email_Address, Phone_Number, Comments, Email_Optin)VALUES('$department', '$name', '$email', '$phone', '$comments', '$optin')";
$result=mysql_query($sql);

// close connection
mysql_close();
}


:confused:

...If I enter some ' ' into the form field and then look into my database. The ' ' are still there with no backslashes.


This indicates you have done this correctly. Backslashes should not appear in the database, their job is to prevent the actual query from becoming escaped.
You should actually detect the existence of magic_quotes and deal with them if necessary:

if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
$_POST['enquiry'] = stripslashes($_POST['enquiry']);
}

$comments=mysql_real_escape_string($_POST['enquiry']);


Best to write as a function or use a direct map to the entire $GLOBALS to deal with them.
Don't forget that you have to escape any string going into your database. According to this, every field inserted is a string.

Oh god now I feel a little dumb lol

Do you mean it would be better to use the mysql_real_escape on all the $_post values ?

Thanks Fou-Lu

The better solution would be to use mysqli_ or PDO with prepare and bind statements so as to keep the query and the data in separate statements and so eliminate the possibility of sql injection completely.

If you decide to keep the query and data jumbled together then you need to escape any data that is allowed to contain characters that can be confused with the query itself. All data that isn't allowed to contain such values should have failed validation if an sql injection attempt via those fields was attempted. Validation should block all injection attempts other than with fields where that input would actually be valid long before attempting to access the database.

Oh god now I feel a little dumb lol

Do you mean it would be better to use the mysql_real_escape on all the $_post values ?

Thanks Fou-Lu

No, I mean that stripslashes should be applied if the magic_quotes_gpc environment is running.

The better solution would be to use mysqli_ or PDO with prepare and bind statements so as to keep the query and the data in separate statements and so eliminate the possibility of sql injection completely.

If you decide to keep the query and data jumbled together then you need to escape any data that is allowed to contain characters that can be confused with the query itself. All data that isn't allowed to contain such values should have failed validation if an sql injection attempt via those fields was attempted. Validation should block all injection attempts other than with fields where that input would actually be valid long before attempting to access the database.

I fully agree with this. If MySQLi or PDO is an option available for you, I would also use prepared statements. Stipslashes from gpc would still apply of course, but no escaping needs to be done beyond this.