MySQL escaping

[phillw]

It has sorta been drilled into me to use mysql_real_escape_string when dealing with input from users.

On the site in question, I do have this all set up, however, as part of a tutorial series on FULLTEXT, I've included the output of both "un-escaped" and "escaped" input, to show the importance.

Imagine my surprise when I input

'E'

via

Code:

echo '<form id="input" action="search.php" method="get" />';
echo 'I am Looking For:  ';
echo '<input type="text" size="40" name="LookFor" />';
echo '<input type="submit" value="Go Find It !!" />';

and find that

Code:

$LookFor=$_GET['LookFor'];

returns

\'E\'

BEFORE is run it through the mysql_real_escape_string command, which then thoroughly enjoys itself and returns

\\\'E\\\'

Has someone changed the rules and not told me ??

As you can imagine, it's playing havoc with my trying to put the MySQL query string together !!!

I'm sure I was told not to use strip-slashes on input, but it looks like either I should do, or drop the mysql_real_escape_string bit

Mr O'Riley is going to be much dis-pleased...

Regards,

Phill.

[phillw]

GRRRRR...

I've found out that magic_quotes_gpc are turned on by deafult -- I'm now heading over to trace the person responsible and kill them.

Phill.