Is this safe?

[peuge]

So I have a simple site for artists and have an admin section where they can edit stuff like about me etc. So I send their new about me to the right table and all... Now I need characters such as ", ' etc to be used. So is it safe, or do I need to use mysql_real_escape_string?

 

[mbeals]

if you have to ask 'is it safe'  it probably isn't and in this case that is true.

 

escape ALL form generated input going into a database.  Doesn't matter if it comes from a text box or a select box or even a hidden field.  In fact, you have to escape it to allow single quotes, otherwise the query will break, regardless if it's intentional injection or not.

[ag3nt42]

well technically the RISK factor has to do with wat exactly your building and WHO is going to be using it...

 

in your case.. it would be in your best interest to setup  escapes on your inputs.. because you do not know and will not really know the users on your site.. all it takes is one.

 

You can still allow them to enter code but just restrict what code they can enter.

[RichardRotterdam]

you could just replace the single quotes with an ascii character and then do the mysql_real_escape_string()

I'm sure that would be safe and it would allow the single quote to be displayed

<?php
$string=str_replace("'", "&#39;",$string);
$string=mysql_real_escape_string($string);
?>

 

PS it should be just the 39 character but this forum messes it up somehow

[kenrbnsn]

You use the mysql_real_escape_function() to make data safe to insert into the database.

 

You use either the htmlentities() or htmlspecialchars() function to make the data safe for display.

 

Ken

[peuge]

Thanks for all the help. Thought it was something along these lines, just wanted to make sure.

 

Once more thing, when displaying the data could I use stripslashes()?

 

thanks

[waynew]

I'm pretty sure that you don't have to use stripslashes with mysql_real_escape_string... somebody correct me if I am wrong.

[discomatt]

I'm pretty sure that you don't have to use stripslashes with mysql_real_escape_string... somebody correct me if I am wrong.

 

You are right.

[KevinM1]

I'm pretty sure that you don't have to use stripslashes with mysql_real_escape_string... somebody correct me if I am wrong.

 

You are right.

 

Unless you're in an environment using Magic Quotes.

[waynew]

Probably best to check to see if they're on and if so use stripslashes, the mysql_real_escape_string.

 

Damn magic quotes 

[discomatt]

Oh, well, that's a given.

 

I always create my own escape function anyways... typing out mysql_real_escape_string is painful!

 

<?php

function dbSanitize ( $input, $quote = FALSE ) {

# Parse array
if ( is_array($input) )
	foreach ($input as $key => $var)
		$input[$key] =	dbSanitize( $var, $quote );

# Parse string
else {
	# Check if already escaped
	if (get_magic_quotes_gpc())
		# Remove useless escapes
		$input = stripslashes($input);

	# Sanitize and quote if necessary
	$input =
		( $quote ? '\'' : '' ) .
		mysql_real_escape_string($input) .
		( $quote ? '\'' : '' );
}

# Return sanitized string
return $input;

}

?>