Jump to content

[SOLVED] Trimming, slashing, escaping and magic quotes? Sounds more like LSD than PHP.

webmaster1

By webmaster1
in PHP Coding Help

Recommended Posts

webmaster1 Advanced Member

webmaster1

Posted
Posted

Hi All,

 

I'm trying to 'correctly' insert input into my mySQL database.

 

If I use mysql_real_escape_string does this negate the requirement of magic_quotes (being on or off?) or the adding/stripping of slashes or the stripping of tags or trimming?

 

I've researched the manual but I don't get the hierachy of what negates what. In my code below you'll notice I've added the mysql_real_escape_string to avoid any failed inserts due to conflicting characters.

 

I have not however added this for uploading the file paths. Is this where adding and removing slashes would come into play?

(I have not used magic_quotes because the manual says its identical to add slashes.) Oddly enough I came across this pearl of wisdom online:

 

That's the golden rule. You should never have to stripslashes. Ever.

 

Is it critical that I trim each variable?

 

Here's my code less the validation:

 

<?php

if (isset($_POST['submit'])){ 
  
//LOTS OF FORM VALIDATION HERE (OMMITTED)	
                
$path1= "upload/".$HTTP_POST_FILES['ufile']['name'][0];
$path2= "upload/".$HTTP_POST_FILES['ufile']['name'][1];
$path3= "upload/".$HTTP_POST_FILES['ufile']['name'][2];

copy($HTTP_POST_FILES['ufile']['tmp_name'][0], $path1);
copy($HTTP_POST_FILES['ufile']['tmp_name'][1], $path2);
copy($HTTP_POST_FILES['ufile']['tmp_name'][2], $path3);

include("dbinfo.php");
mysql_connect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to establish a connection to the relevant database.");

$make = mysql_real_escape_string($_POST['make']);
$model = mysql_real_escape_string($_POST['model']);
$price = mysql_real_escape_string($_POST['price']);
$engine = mysql_real_escape_string($_POST['engine']);
$body = mysql_real_escape_string($_POST['body']);
$transmission = mysql_real_escape_string($_POST['transmission']);
$year =mysql_real_escape_string($_POST['year']);
$colour =mysql_real_escape_string($_POST['colour']);
$mileagem = mysql_real_escape_string($_POST['mileagem']);
$mileagekm = mysql_real_escape_string($_POST['mileagekm']);
$owners = mysql_real_escape_string($_POST['owners']);
$doors = mysql_real_escape_string($_POST['doors']);
$location = mysql_real_escape_string($_POST['location']);
$info = mysql_real_escape_string($_POST['info']);

$ipaddress = getenv('REMOTE_ADDR');

$query = "INSERT INTO test VALUES ('','$make','$model','$price','$engine','$body','$transmission','$year','$colour','$mileagem','$mileagekm','$owners','$doors','$location','$info',NOW(),'$ipaddress','$path1','$path2','$path1')";
mysql_query($query);

exit();
} 
?>

<HTML>
<BODY>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" enctype="multipart/form-data">
<fieldset>

    <ol>
    <li>
    <label for="make">Make:</label>
    <input type="text" name="make" id="make" class="text" value="<?php if (isset($_POST['make'])) echo $_POST['make']; ?>"/>
    </br>
    </li>

    <li>
    <label for="model">Model:</label>
    <input type="text" name="model" id="model" class="text" value="<?php if (isset($_POST['model'])) echo $_POST['model']; ?>"/>
    </br>
    </li>

    <li>
    <label for="price">Price:</label>
    <input type="text" name="price" id="price" class="text" value="<?php if (isset($_POST['price'])) echo $_POST['price']; ?>"/>
    <?php if ($message_price) echo ''.$message_price.''; ?>
    </br>
    </li>

    <li>
    <label for="engine">Engine:</label>
    <input type="text" name="engine" id="engine" class="text" value="<?php if (isset($_POST['engine'])) echo $_POST['engine']; ?>"/>
    </li>

    <li>
    <label for="body">Body Type:</label>
    <input type="text" name="body" id="body" class="text" value="<?php if (isset($_POST['body'])) echo $_POST['body']; ?>"/>
    </li>

    <li>
    <label for="transmission">Transmission:</label>
    <input type="text" name="transmission" id="transmission" class="text" value="<?php if (isset($_POST['transmission'])) echo $_POST['transmission']; ?>"/>    
    </br>
    </li>

    <li>
    <label for="year">Year:</label>
    <input type="text" name="year" id="year" class="text" value="<?php if (isset($_POST['year'])) echo $_POST['year']; ?>"/>
    </br>
    </li>

    <li>
    <label for="colour">Colour:</label>
    <input type="text" name="colour" id="colour" class="text" value="<?php if (isset($_POST['colour'])) echo $_POST['colour']; ?>"/>
    </li>

    <li>
    <label for="mileagem">Mileage M:</label>
    <input type="text" name="mileagem" id="mileagem" class="text" value="<?php if (isset($_POST['mileagem'])) echo $_POST['mileagem']; ?>"/>
    </br>
    </li>

    <li>
    <label for="mileagekm">Mileage KM:</label>
    <input type="text" name="mileagekm" id="mileagekm" class="text" value="<?php if (isset($_POST['mileagekm'])) echo $_POST['mileagekm']; ?>"/>
    </br>
    </li>

    <li>
    <label for="owners">Owners:</label>
    <input type="text" name="owners" id="owners" class="text" value="<?php if (isset($_POST['owners'])) echo $_POST['owners']; ?>"/>
    </br>
    </li>

    <li>
    <label for="doors">Doors:</label>
    <input type="text" name="doors" id="doors" class="text" value="<?php if (isset($_POST['doors'])) echo $_POST['doors']; ?>"/>
    </br>
    </li>

    <li>
    <label for="location">Location:</label>
    <input type="text" name="location" id="location" class="text" value="<?php if (isset($_POST['location'])) echo $_POST['location']; ?>"/>
    </li>

    <li>
    <label for="info">Additional Information:</label></br>
    <textarea name="info" rows="5" cols="50"/><?php if (isset($_POST['info'])) echo stripslashes($_POST['info']); ?></textarea>
    </br>
    </li>

    <li>
    <label for "ufile[]">Image File 1:</label>
    <input type="file" name="ufile[]"  id="ufile[]"/>
    </li>


    <li>
    <label for "ufile[]">Image File 2:</label>
    <input type="file" name="ufile[]"  id="ufile[]"/>
    </li>

    <li>
    <label for "ufile[]">Image File 3:</label>
    <input type="file" name="ufile[]"  id="ufile[]"/>
    </br>
    </li>
    
    <li>
    <input name="submit" type="submit">
    </li>

</ol>
</fieldset>
</form>	
</BODY>
</HTML>

 

 

 

 

Mchl Regular Member

Mchl

Posted
Posted

mysql_real_escape_string is the one you should be using.

 

Don't rely on anything called 'magic' (i.e. assume, that magic quotes are disabled, and if possible have them disabled). If they're enabled you might need to strip slashes before mysql_real_escape_string ... although I'm not sure about it... I just have them disabled in all cases.

 

You strip tags, when you're afraid someone might inject some html, that when displayed on your site might do harm. So it's only needed for data, that will be displayed on some point or another.

 

If you did everything correctly, there should be no need to add or strip slashes when outputting data from database.

 

And trim... it just for removing whitespace... use it whenever you want to... trim whitespace.

webmaster1 Advanced Member

webmaster1

Posted
  • Author
Posted

Righto I'll stick to mysql_real_escape_string and trimming where necessary.

 

I'll not add a single line of code related to magic quotes since from you're explanation they seem to be off by default.

 

Thanks Mchl!

Mchl Regular Member

Mchl

Posted
Posted

 

I'll not add a single line of code related to magic quotes since from you're explanation they seem to be off by default.

 

 

I think that's the default for PHP5, and besides they're be removed all together in PHP6

See: http://pl.php.net/manual/en/security.magicquotes.php

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.