shadiadiph Posted December 17, 2008 Share Posted December 17, 2008 Mmm I am new to this i was using addslashes before but have been told it is very insecure so i have tried changing it to mysql_real_escape_string( without success can anyone tell me why this is nto working thanks in advance. <? session_start(); error_reporting(mht); ?> <?PHP include("global/connection.php"); include("global/mail.class.php"); error_reporting(7); $type = ($_POST["type"]); $account = ($_POST["account"]); $company = ($_POST["company"]); $position = ($_POST["position"]); $username = ($_POST["username"]); $email = ($_POST["email"]); $password = ($_POST["pw1"]); $firstname = ($_POST["fname"]); $lastname = ($_POST["lname"]); $street = ($_POST["street"]); $city = ($_POST["city"]); $state = ($_POST["state"]); $postal = ($_POST["postal"]); $country = ($_POST["country"]); $checkuser ="select intAccountID from tbluserdetails where username ='$username'"; $temps = $DB_site->query($checkuser); $total = $DB_site->num_rows($temps); if ($total>0) { ?> <script> alert("Username already in use. Please try some other username") history.back() </script> <? } else { $insertsql = " insert into tbluserdetails (type, account, company, position, username, email, password, firstname, lastname, street, city, state, postal, country, status, memlevel, sendemails, emailssent, emailsrec, unread, logged, dtadded) values = mysql_real_escape_string('$type', '$account', '$company', '$position', '$username', '$email', '$password', '$firstname', '$lastname', '$street', '$city', '$state', '$postal', '$country', 'UNACT', '4', '3', '0', '0', '0', 'N', now())"; $DB_site->query($insertsql); ?> Link to comment https://forums.phpfreaks.com/topic/137318-how-to-use-values-mysql_real_escape_string/ Share on other sites More sharing options...
genericnumber1 Posted December 17, 2008 Share Posted December 17, 2008 mysql_real_escape_string() only accepts one string at a time (the second param is an optional connection handle) and it is NOT a mysql function - it's a php function - and should be used as such. see: http://us.php.net/mysql_real_escape_string Link to comment https://forums.phpfreaks.com/topic/137318-how-to-use-values-mysql_real_escape_string/#findComment-717480 Share on other sites More sharing options...
shadiadiph Posted December 17, 2008 Author Share Posted December 17, 2008 ok i understand what you mean thanks. Is it really necessary to even use it?? When i removed the mysql_real_escape_string from the script it wrote to the database straight away if i have to put mysql_real_escape_string('$type'); mysql_real_escape_string('$account); etc it will take for ever are there any advantages by using against not using it? Link to comment https://forums.phpfreaks.com/topic/137318-how-to-use-values-mysql_real_escape_string/#findComment-717484 Share on other sites More sharing options...
genericnumber1 Posted December 17, 2008 Share Posted December 17, 2008 you'd need to remove the quotes: mysql_real_escape_string($type); and yes, you should ALWAYS use it for user input. If you don't, it would be trivial for someone to have direct access to your database. Google "sql injection" for more info on why you should always sanitize user input that will be used in a query. Link to comment https://forums.phpfreaks.com/topic/137318-how-to-use-values-mysql_real_escape_string/#findComment-717485 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.