Why Does Escaping Single Quotes in PHP Only Affect MySQL Inserts Sometimes?

Escaping Single Quotes in PHP When Inserting into MySQL

This article addresses the issue of escaping single quotes in PHP when inserting data into MySQL.

The provided code demonstrates two SQL statements: one for inserting form data into a database and the other for retrieving data, sending an email, and logging transaction details. The error occurs when a single quote is present in the second statement, but not in the first.

The difference in behavior stems from the potential for magic_quotes_gpc to be enabled. This feature escapes strings from $_GET, $_POST, and $_COOKIES. When the data is stored and retrieved again, it may not be escaped automatically.

To resolve this issue, you should escape each string in both snippets using mysql_real_escape_string().

Example with mysql_real_escape_string():

<code class="php">$order_id = mysql_real_escape_string($order_id);
$supplier_id = mysql_real_escape_string($supplier_id);
...</code>

Escaping strings before inserting into MySQL ensures that single quotes and other potentially problematic characters are handled correctly, preventing SQL injection vulnerabilities and inconsistent query execution.

The above is the detailed content of Why Does Escaping Single Quotes in PHP Only Affect MySQL Inserts Sometimes?. For more information, please follow other related articles on the PHP Chinese website!