[SOLVED] Is this right - mysql_real_escape_string??

[mike12255]

did i use this function correct to protect me??

 

<?php 
$insertpost="INSERT INTO forumtutorial_posts(author,title,post,showtime,realtime,lastposter) values('$name','$subject','$yourpost','$displaytime','$thedate','$name')";// Lest insert this stuff into the database<br />

mysql_query($insertpost);
mysql_real_escape_string($name);
mysql_real_escape_string($subject);
mysql_real_escape_string($yourpost);
mysql_real_escape_string($displayetime);
mysql_real_escape_string($thedate);
?>

[trq]

Not at all. For starters, your not using it untill after your query. Secondly, your not saving the results back into the variables you need.

 

<?php

$name = mysql_real_escape_string($name);
$subject = mysql_real_escape_string($subject);
$yourpost = mysql_real_escape_string($yourpost);
$displayetime = mysql_real_escape_string($displayetime);
$thedate = mysql_real_escape_string($thedate);

$insertpost="INSERT INTO forumtutorial_posts(author,title,post,showtime,realtime,lastposter) values('$name','$subject','$yourpost','$displaytime','$thedate','$name')";// Lest insert this stuff into the database<br />

mysql_query($insertpost);
?>

[mike12255]

so using mysql_real_escape_string makes it so i dont need strip_tags?

 

 $name = strip_tags($name);
  $subject = strip_tags($subject);
  $yourpost = strip_tags($yourpost);

[Mchl]

No. strip_tags strips HTML tags from input. mysql_real_escape_string escapes characters, that have special meaning for MySQL (like ' )

[mike12255]

so its wise to run both statments?? - im going to be displaying this data im getting

[jackpf]

You'll probably also need addslashes() tbh

 

The wonderful world of functions...

[Mchl]

You'll probably also need addslashes() tbh

 

The wonderful world of functions...

 

Not true, unless you're doing something entirely else with this data. Running addslashes together with mysql_real_escape_string will result in corrupted data in mysql tables.

 

mike12255: Use mysql_real_escape_string on all data to be used in mysql queries, that are input by users.

Use strip_tags to remove any HTML that you don't want to allow users to input.

Yes, it is ok to run both functions.

 

 

[jackpf]

I thought you had to run addslashes() on all data being used for sql?

 

Does mysql_real_escape_string() run addslashes() aswell?

[Mchl]

It doesn't run addslashes(). It adds slashes. It's just it works a bit different than addslashes(). For one, it takes int account encoding of current connection to MySQL. Second, it escapes all MySQL specific control characters, while addslashes escapes only ' " \ and 0x00.

[jackpf]

Oh right...I didn't know that.

On my login/register script I use both. Seems to work...

[trq]

Oh right...I didn't know that.

On my login/register script I use both. Seems to work...

 

I'll bet you have slashes stored within your database. This is a sign of corrupt data. If data is escaped properly the slashes should never actually be stored within the database.

[jackpf]

I'll bet you have slashes stored within your database. This is a sign of corrupt data. If data is escaped properly the slashes should never actually be stored within the database.

 

No, oddly, it's all fine. I'll be sure to change it though, just to make sure

[Mchl]

You probably use stripslashes when retrieving data.

[jackpf]

You probably use stripslashes when retrieving data.

 

No. lol.

 

This is exactly it, and I don't use anything to manipulate it whilst extracting it-

 

addslashes(mysql_real_escape_string(htmlspecialchars($_POST['username'])));

[trq]

You mean....

 

$_POST["username"] = addslashes(mysql_real_escape_string(htmlspecialchars($_POST["username"])));

 

?

[jackpf]

No,

$username = addslashes(mysql_real_escape_string(htmlspecialchars($_POST['username'])));

 

I've changed it now anyway 

[Mchl]

Maybe you're just lucky then, and don't get any special chars in your data

 

Well... it's a bit strange what you say...

 

Let's take the exemplary string "O'Reilly"

Passing it through mysql_real_escape_string gives

"O\'Reilly"

Passing this through addslashes gives

"O\\\'Reilly"

 

 

[jackpf]

Tbh, it's probably just because I don't have many Irish people on my site

 

Come to think about it, I don't actually have anyone with escapeable chars in their username.

 

But if I hadn't happened to have stumbled across this thread, I'd wouldn't have learnt of the errors of my ways!