I’m trying to clean up some user input for my database but the mysql_real_escape_string function doesn’t seem to work, and neither does addslashes(). I’ve browsed the net and made sure I’m connected to the database before the function is called. I can’t figure out what I doing wrong. Here’s the relevant part of the code:
mysql_connect("localhost","adminname","adminpassword") or die (mysql_error());
mysql_select_db("databasename") or die (mysql_error());
$comment=mysql_real_escape_string($_POST);
?>
…and then the result is put into the database along with some other data.
The database entry is correct, except, when I check the database or echo the result I get the same thing that was entered into ‘commentbox’. For instance, if I enter “I am very ‘confused’ by this” into the box, the same string will be found in the database table. No slashes, just quotes. Anyone have an idea what’s wrong with this? Because it all seems simple and correct but doesn’t work.
