limitphp Posted October 28, 2008 Share Posted October 28, 2008 When creating a site with a username and password login, is it neccessary to use the functions get_magic_quotes_gpc() and mysql_real_escape_string? I have never heard about these before. They take weird characters like slashes or quotes off the entries in the password or username? Thanks. I'm using wampserver phpadmin 5.2.6 Link to comment https://forums.phpfreaks.com/topic/130435-solved-use-get_magic_quotes_gpc-and-mysql_real_escape_string/ Share on other sites More sharing options...
trq Posted October 28, 2008 Share Posted October 28, 2008 ALL user input should be passed through mysql_real_escape_string. You would only use get_magic_quotes_gpc to check if magic quotes are enabled, and if so, use stripslashes on your data prior to mysql_real_escape_string. Link to comment https://forums.phpfreaks.com/topic/130435-solved-use-get_magic_quotes_gpc-and-mysql_real_escape_string/#findComment-676648 Share on other sites More sharing options...
limitphp Posted October 28, 2008 Author Share Posted October 28, 2008 I'm a little confused by this code: if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } Is it checking to see if its not a numeric value then add quotes around it and take away any special characters in the value? If so, is it ok to add quotes around the value? Are you supposed to do that? Thanks. Link to comment https://forums.phpfreaks.com/topic/130435-solved-use-get_magic_quotes_gpc-and-mysql_real_escape_string/#findComment-676670 Share on other sites More sharing options...
PFMaBiSmAd Posted October 28, 2008 Share Posted October 28, 2008 The idea behind that code is that if the value is not a number, it is a string. This is not always true, because there are cases where data that evaluates as numeric is treated and stored as strings and that code would fail to give the needed results. Strings must be quoted in an query. The normal way of writing a query is that the query shows the syntax being used. Quotes are shown in the query where they need to be and the $value is just the data - $query = "SELECT your_column FROM your_table WHERE your_column = '$value'"; v.s. Quotes are part of the data - $query = "SELECT your_column FROM your_table WHERE your_column = $value"; The problem with the second way is if you or anyone else needs to read and troubleshoot the script, you must be familiar with the function code that prepared the data. A year from now when you are having problems with a query written the second way, are you going to remember that quotes that are part of the syntax are actually present in the variable? And if you post the second query in a help forum, the first thing someone is going to tell you, just based on seeing it, is to add quotes around the value. Link to comment https://forums.phpfreaks.com/topic/130435-solved-use-get_magic_quotes_gpc-and-mysql_real_escape_string/#findComment-676708 Share on other sites More sharing options...
limitphp Posted October 28, 2008 Author Share Posted October 28, 2008 So your saying I should change it to if (!is_numeric($value)) { $value = mysql_real_escape_string($value); } And let me decide if it needs quotes or not in the query. And if an error its the query, that'll be one less thing I'll need to remember. Thanks. or actually this: function check_input($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } $value = mysql_real_escape_string($value); return $value; } Link to comment https://forums.phpfreaks.com/topic/130435-solved-use-get_magic_quotes_gpc-and-mysql_real_escape_string/#findComment-676710 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.