Is this safe?

peuge · July 11, 2008

So I have a simple site for artists and have an admin section where they can edit stuff like about me etc. So I send their new about me to the right table and all... Now I need characters such as ", ' etc to be used. So is it safe, or do I need to use mysql_real_escape_string?

mbeals · July 11, 2008

if you have to ask 'is it safe' it probably isn't and in this case that is true.

escape ALL form generated input going into a database. Doesn't matter if it comes from a text box or a select box or even a hidden field. In fact, you have to escape it to allow single quotes, otherwise the query will break, regardless if it's intentional injection or not.

ag3nt42 · July 11, 2008

well technically the RISK factor has to do with wat exactly your building and WHO is going to be using it...

in your case.. it would be in your best interest to setup escapes on your inputs.. because you do not know and will not really know the users on your site.. all it takes is one.

You can still allow them to enter code but just restrict what code they can enter.

RichardRotterdam · July 11, 2008

you could just replace the single quotes with an ascii character and then do the mysql_real_escape_string()

I'm sure that would be safe and it would allow the single quote to be displayed

<?php
$string=str_replace("'", "&#39;",$string);
$string=mysql_real_escape_string($string);
?>

PS it should be just the 39 character but this forum messes it up somehow

kenrbnsn · July 11, 2008

You use the mysql_real_escape_function() to make data safe to insert into the database.

You use either the htmlentities() or htmlspecialchars() function to make the data safe for display.

Ken

peuge · July 11, 2008

Thanks for all the help. Thought it was something along these lines, just wanted to make sure.

Once more thing, when displaying the data could I use stripslashes()?

thanks

waynewex · July 11, 2008

I'm pretty sure that you don't have to use stripslashes with mysql_real_escape_string... somebody correct me if I am wrong.

discomatt · July 11, 2008

I'm pretty sure that you don't have to use stripslashes with mysql_real_escape_string... somebody correct me if I am wrong.

You are right.

KevinM1 · July 11, 2008

I'm pretty sure that you don't have to use stripslashes with mysql_real_escape_string... somebody correct me if I am wrong.

You are right.

Unless you're in an environment using Magic Quotes.

waynewex · July 11, 2008

Probably best to check to see if they're on and if so use stripslashes, the mysql_real_escape_string.

Damn magic quotes >:(

discomatt · July 11, 2008

Oh, well, that's a given.

I always create my own escape function anyways... typing out mysql_real_escape_string is painful!

<?php

function dbSanitize ( $input, $quote = FALSE ) {

# Parse array
if ( is_array($input) )
	foreach ($input as $key => $var)
		$input[$key] =	dbSanitize( $var, $quote );

# Parse string
else {
	# Check if already escaped
	if (get_magic_quotes_gpc())
		# Remove useless escapes
		$input = stripslashes($input);

	# Sanitize and quote if necessary
	$input =
		( $quote ? '\'' : '' ) .
		mysql_real_escape_string($input) .
		( $quote ? '\'' : '' );
}

# Return sanitized string
return $input;

}

?>

Sign In

Is this safe?

Recommended Posts

peuge

Link to comment

Share on other sites

mbeals

Link to comment

Share on other sites

ag3nt42

Link to comment

Share on other sites

RichardRotterdam

Link to comment

Share on other sites

kenrbnsn

Link to comment

Share on other sites

peuge

Link to comment

Share on other sites

waynewex

Link to comment

Share on other sites

discomatt

Link to comment

Share on other sites

KevinM1

Link to comment

Share on other sites

waynewex

Link to comment

Share on other sites

discomatt

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information