Jump to content

[SOLVED] Is this right - mysql_real_escape_string??

mike12255

By mike12255
in PHP Coding Help

Recommended Posts

mike12255 Advanced Member

mike12255

Posted
Posted

did i use this function correct to protect me??

 

<?php 
$insertpost="INSERT INTO forumtutorial_posts(author,title,post,showtime,realtime,lastposter) values('$name','$subject','$yourpost','$displaytime','$thedate','$name')";// Lest insert this stuff into the database<br />

mysql_query($insertpost);
mysql_real_escape_string($name);
mysql_real_escape_string($subject);
mysql_real_escape_string($yourpost);
mysql_real_escape_string($displayetime);
mysql_real_escape_string($thedate);
?>

trq Prolific Member

trq

Posted
Posted

Not at all. For starters, your not using it untill after your query. Secondly, your not saving the results back into the variables you need.

 

<?php

$name = mysql_real_escape_string($name);
$subject = mysql_real_escape_string($subject);
$yourpost = mysql_real_escape_string($yourpost);
$displayetime = mysql_real_escape_string($displayetime);
$thedate = mysql_real_escape_string($thedate);

$insertpost="INSERT INTO forumtutorial_posts(author,title,post,showtime,realtime,lastposter) values('$name','$subject','$yourpost','$displaytime','$thedate','$name')";// Lest insert this stuff into the database<br />

mysql_query($insertpost);
?>

Mchl Regular Member

Mchl

Posted
Posted

You'll probably also need addslashes() tbh :D

 

The wonderful world of functions...

 

Not true, unless you're doing something entirely else with this data. Running addslashes together with mysql_real_escape_string will result in corrupted data in mysql tables.

 

mike12255: Use mysql_real_escape_string on all data to be used in mysql queries, that are input by users.

Use strip_tags to remove any HTML that you don't want to allow users to input.

Yes, it is ok to run both functions.

 

 

Mchl Regular Member

Mchl

Posted
Posted

It doesn't run addslashes(). It adds slashes. It's just it works a bit different than addslashes(). For one, it takes int account encoding of current connection to MySQL. Second, it escapes all MySQL specific control characters, while addslashes escapes only ' " \ and 0x00.

trq Prolific Member

trq

Posted
Posted

Oh right...I didn't know that.

On my login/register script I use both. Seems to work...

 

I'll bet you have slashes stored within your database. This is a sign of corrupt data. If data is escaped properly the slashes should never actually be stored within the database.

jackpf Member

jackpf

Posted
Posted

I'll bet you have slashes stored within your database. This is a sign of corrupt data. If data is escaped properly the slashes should never actually be stored within the database.

 

No, oddly, it's all fine. I'll be sure to change it though, just to make sure :D

Mchl Regular Member

Mchl

Posted
Posted

Maybe you're just lucky then, and don't get any special chars in your data :P

 

Well... it's a bit strange what you say...

 

Let's take the exemplary string "O'Reilly"

Passing it through mysql_real_escape_string gives

"O\'Reilly"

Passing this through addslashes gives

"O\\\'Reilly"

 

 

jackpf Member

jackpf

Posted
Posted

Tbh, it's probably just because I don't have many Irish people on my site :P

 

Come to think about it, I don't actually have anyone with escapeable chars in their username.

 

But if I hadn't happened to have stumbled across this thread, I'd wouldn't have learnt of the errors of my ways!

 

:D

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.