peuge Posted July 11, 2008 Share Posted July 11, 2008 So I have a simple site for artists and have an admin section where they can edit stuff like about me etc. So I send their new about me to the right table and all... Now I need characters such as ", ' etc to be used. So is it safe, or do I need to use mysql_real_escape_string? Link to comment https://forums.phpfreaks.com/topic/114260-is-this-safe/ Share on other sites More sharing options...
mbeals Posted July 11, 2008 Share Posted July 11, 2008 if you have to ask 'is it safe' it probably isn't and in this case that is true. escape ALL form generated input going into a database. Doesn't matter if it comes from a text box or a select box or even a hidden field. In fact, you have to escape it to allow single quotes, otherwise the query will break, regardless if it's intentional injection or not. Link to comment https://forums.phpfreaks.com/topic/114260-is-this-safe/#findComment-587520 Share on other sites More sharing options...
ag3nt42 Posted July 11, 2008 Share Posted July 11, 2008 well technically the RISK factor has to do with wat exactly your building and WHO is going to be using it... in your case.. it would be in your best interest to setup escapes on your inputs.. because you do not know and will not really know the users on your site.. all it takes is one. You can still allow them to enter code but just restrict what code they can enter. Link to comment https://forums.phpfreaks.com/topic/114260-is-this-safe/#findComment-587522 Share on other sites More sharing options...
RichardRotterdam Posted July 11, 2008 Share Posted July 11, 2008 you could just replace the single quotes with an ascii character and then do the mysql_real_escape_string() I'm sure that would be safe and it would allow the single quote to be displayed <?php $string=str_replace("'", "'",$string); $string=mysql_real_escape_string($string); ?> PS it should be just the 39 character but this forum messes it up somehow Link to comment https://forums.phpfreaks.com/topic/114260-is-this-safe/#findComment-587523 Share on other sites More sharing options...
kenrbnsn Posted July 11, 2008 Share Posted July 11, 2008 You use the mysql_real_escape_function() to make data safe to insert into the database. You use either the htmlentities() or htmlspecialchars() function to make the data safe for display. Ken Link to comment https://forums.phpfreaks.com/topic/114260-is-this-safe/#findComment-587535 Share on other sites More sharing options...
peuge Posted July 11, 2008 Author Share Posted July 11, 2008 Thanks for all the help. Thought it was something along these lines, just wanted to make sure. Once more thing, when displaying the data could I use stripslashes()? thanks Link to comment https://forums.phpfreaks.com/topic/114260-is-this-safe/#findComment-587547 Share on other sites More sharing options...
waynew Posted July 11, 2008 Share Posted July 11, 2008 I'm pretty sure that you don't have to use stripslashes with mysql_real_escape_string... somebody correct me if I am wrong. Link to comment https://forums.phpfreaks.com/topic/114260-is-this-safe/#findComment-587574 Share on other sites More sharing options...
discomatt Posted July 11, 2008 Share Posted July 11, 2008 I'm pretty sure that you don't have to use stripslashes with mysql_real_escape_string... somebody correct me if I am wrong. You are right. Link to comment https://forums.phpfreaks.com/topic/114260-is-this-safe/#findComment-587595 Share on other sites More sharing options...
KevinM1 Posted July 11, 2008 Share Posted July 11, 2008 I'm pretty sure that you don't have to use stripslashes with mysql_real_escape_string... somebody correct me if I am wrong. You are right. Unless you're in an environment using Magic Quotes. Link to comment https://forums.phpfreaks.com/topic/114260-is-this-safe/#findComment-587637 Share on other sites More sharing options...
waynew Posted July 11, 2008 Share Posted July 11, 2008 Probably best to check to see if they're on and if so use stripslashes, the mysql_real_escape_string. Damn magic quotes Link to comment https://forums.phpfreaks.com/topic/114260-is-this-safe/#findComment-587688 Share on other sites More sharing options...
discomatt Posted July 11, 2008 Share Posted July 11, 2008 Oh, well, that's a given. I always create my own escape function anyways... typing out mysql_real_escape_string is painful! <?php function dbSanitize ( $input, $quote = FALSE ) { # Parse array if ( is_array($input) ) foreach ($input as $key => $var) $input[$key] = dbSanitize( $var, $quote ); # Parse string else { # Check if already escaped if (get_magic_quotes_gpc()) # Remove useless escapes $input = stripslashes($input); # Sanitize and quote if necessary $input = ( $quote ? '\'' : '' ) . mysql_real_escape_string($input) . ( $quote ? '\'' : '' ); } # Return sanitized string return $input; } ?> Link to comment https://forums.phpfreaks.com/topic/114260-is-this-safe/#findComment-587780 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.