I have a regular input field with type text and a submit button (update_form) in a form. Once the submit button is clicked, the data from the input is sent to a php script that should save it to the DB and display the updated HTML page. All works fine but one thing - I am not quite sure when to use mysqli_real_escape_string.
Example:
if(isset($_POST["update_form"])) {
connectDatabase(); //just opens the connection
$name = $_POST["page_name"];
echo $name . "<br>";
$name = mysqli_real_escape_string($connection, $name);
echo $name . "<br>";
//...do the rest, queryDatabase($query);
}
Let's assume I will type "Tim's place" into the text field and I will hit the submit button. If I use the script above, it will echo the following:
Tim\'s place
Tim\\\'s place
So in the HTML output it will look like this:
Tim's place
Tim\'s place
What does this mean? Why after doing mysqli_real_escape_string I have an additional backslash? Or is this not necessary when using POST variables? Really confused.