> Thanks for the reply, but I still can't seem to make the connection... > If I enter the value > 123\"/' > in a web form and put the form post value directly into the db (no > stripslashes or any other function), the value as reported by the db at a > command line query is > 123\"/'
That's not right. If you insert, exactly, 123\"/' into a database, the value in the table, as returned by a query from the command line, will be 123"/' >From the command line, to see what I mean, actually insert 123\"/' into a table and then select * from that table... Somehow it is getting escaped twice. Can you show your code that processes all of this? I've got a secret security clearance, if that matters. ;) > My current project is the first real app I have done for the Air Force in > PHP. Most of the PHP work I have done is for query only db interfaces, > counters, REMOTE_HOST tests for dynamic links or doing form-to-email type > stuff. Entering data INTO a db adds a whole new set of challenges. It's great that they're actually using PHP. I had to do quite a bit of "educating" and convincing to get the Army to use PHP at my Post. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
