webref.eu Posted August 2, 2008 Share Posted August 2, 2008 Can experts please tell me if they agree with the below. - Before adding form input into a database, you should check whether magic quotes is on. If it is, remove the backslashes with stripslashes. - Then use mysql_real_escape_string in the query to insert the data into the database. mysql_real_escape_string will escape any characters whilst the query is performed, BUT THIS IS NOT CARRIED THROUGH INTO THE DATA IN THE DATABASE, i.e. you do not see any backslash escape characters in your database. - All this can be done with a function like the below: function makeSQLSafe($str) { // check the status of magic_quotes_gpc, if it this returns true // we remove the escaped characters. Allowing for the real escaping // to be done via mysql_real_escape_string if(get_magic_quotes_gpc()) { // remove the slashes. $str = stripslashes($str); } $str = mysql_real_escape_string($str); return $str; } - Then the query would be: //database query $query = "INSERT INTO Users (Username, Password, Email, SubscribeToNewsletter) VALUES ('" . makeSQLSafe($Username) . "', '" . makeSQLSafe($Password) . "', '" . makeSQLSafe($Email) . "', '" . makeSQLSafe($SubscribeToNewsletter) . "')"; - So, do you agree with all the above. One other question I have is should mysql_real_escape_string have a connection indicated, i.e. should: $str = mysql_real_escape_string($str); actually be: $str = mysql_real_escape_string($str, $conn); Thanks all for any comments. Quote Link to comment https://forums.phpfreaks.com/topic/117838-making-safe-for-db-insertion-with-a-function/ Share on other sites More sharing options...
wildteen88 Posted August 2, 2008 Share Posted August 2, 2008 Yes that is fine, however you don't need to pass the connection to mysql_real_escape_string. This is only required when you are using more than one database connection at a time. Quote Link to comment https://forums.phpfreaks.com/topic/117838-making-safe-for-db-insertion-with-a-function/#findComment-606106 Share on other sites More sharing options...
waynew Posted August 2, 2008 Share Posted August 2, 2008 Looks good. Quote Link to comment https://forums.phpfreaks.com/topic/117838-making-safe-for-db-insertion-with-a-function/#findComment-606107 Share on other sites More sharing options...
cooldude832 Posted August 2, 2008 Share Posted August 2, 2008 ppl need to remove old php tutorial magic quotes is a thing of the pass http://us2.php.net/magic_quotes Quote Link to comment https://forums.phpfreaks.com/topic/117838-making-safe-for-db-insertion-with-a-function/#findComment-606110 Share on other sites More sharing options...
webref.eu Posted August 2, 2008 Author Share Posted August 2, 2008 Yes that is fine, however you don't need to pass the connection to mysql_real_escape_string. This is only required when you are using more than one database connection at a time. - So, it's not bad practice to not specifically state the connection? - The function will automatically use whatever connection is open at the time, correct? - I was going to put the makeSQLSafe function into my shared functions file, inc-functions.php. Is this something you would normally do? Is this a good technique? Many thanks for your help guys, I appreciate it. Rgds Quote Link to comment https://forums.phpfreaks.com/topic/117838-making-safe-for-db-insertion-with-a-function/#findComment-606114 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.