mike12255 Posted March 1, 2009 Share Posted March 1, 2009 did i use this function correct to protect me?? <?php $insertpost="INSERT INTO forumtutorial_posts(author,title,post,showtime,realtime,lastposter) values('$name','$subject','$yourpost','$displaytime','$thedate','$name')";// Lest insert this stuff into the database<br /> mysql_query($insertpost); mysql_real_escape_string($name); mysql_real_escape_string($subject); mysql_real_escape_string($yourpost); mysql_real_escape_string($displayetime); mysql_real_escape_string($thedate); ?> Quote Link to comment Share on other sites More sharing options...
trq Posted March 1, 2009 Share Posted March 1, 2009 Not at all. For starters, your not using it untill after your query. Secondly, your not saving the results back into the variables you need. <?php $name = mysql_real_escape_string($name); $subject = mysql_real_escape_string($subject); $yourpost = mysql_real_escape_string($yourpost); $displayetime = mysql_real_escape_string($displayetime); $thedate = mysql_real_escape_string($thedate); $insertpost="INSERT INTO forumtutorial_posts(author,title,post,showtime,realtime,lastposter) values('$name','$subject','$yourpost','$displaytime','$thedate','$name')";// Lest insert this stuff into the database<br /> mysql_query($insertpost); ?> Quote Link to comment Share on other sites More sharing options...
mike12255 Posted March 1, 2009 Author Share Posted March 1, 2009 so using mysql_real_escape_string makes it so i dont need strip_tags? $name = strip_tags($name); $subject = strip_tags($subject); $yourpost = strip_tags($yourpost); Quote Link to comment Share on other sites More sharing options...
Mchl Posted March 1, 2009 Share Posted March 1, 2009 No. strip_tags strips HTML tags from input. mysql_real_escape_string escapes characters, that have special meaning for MySQL (like ' ) Quote Link to comment Share on other sites More sharing options...
mike12255 Posted March 1, 2009 Author Share Posted March 1, 2009 so its wise to run both statments?? - im going to be displaying this data im getting Quote Link to comment Share on other sites More sharing options...
jackpf Posted March 1, 2009 Share Posted March 1, 2009 You'll probably also need addslashes() tbh The wonderful world of functions... Quote Link to comment Share on other sites More sharing options...
Mchl Posted March 1, 2009 Share Posted March 1, 2009 You'll probably also need addslashes() tbh The wonderful world of functions... Not true, unless you're doing something entirely else with this data. Running addslashes together with mysql_real_escape_string will result in corrupted data in mysql tables. mike12255: Use mysql_real_escape_string on all data to be used in mysql queries, that are input by users. Use strip_tags to remove any HTML that you don't want to allow users to input. Yes, it is ok to run both functions. Quote Link to comment Share on other sites More sharing options...
jackpf Posted March 1, 2009 Share Posted March 1, 2009 I thought you had to run addslashes() on all data being used for sql? Does mysql_real_escape_string() run addslashes() aswell? Quote Link to comment Share on other sites More sharing options...
Mchl Posted March 1, 2009 Share Posted March 1, 2009 It doesn't run addslashes(). It adds slashes. It's just it works a bit different than addslashes(). For one, it takes int account encoding of current connection to MySQL. Second, it escapes all MySQL specific control characters, while addslashes escapes only ' " \ and 0x00. Quote Link to comment Share on other sites More sharing options...
jackpf Posted March 1, 2009 Share Posted March 1, 2009 Oh right...I didn't know that. On my login/register script I use both. Seems to work... Quote Link to comment Share on other sites More sharing options...
trq Posted March 1, 2009 Share Posted March 1, 2009 Oh right...I didn't know that. On my login/register script I use both. Seems to work... I'll bet you have slashes stored within your database. This is a sign of corrupt data. If data is escaped properly the slashes should never actually be stored within the database. Quote Link to comment Share on other sites More sharing options...
jackpf Posted March 1, 2009 Share Posted March 1, 2009 I'll bet you have slashes stored within your database. This is a sign of corrupt data. If data is escaped properly the slashes should never actually be stored within the database. No, oddly, it's all fine. I'll be sure to change it though, just to make sure Quote Link to comment Share on other sites More sharing options...
Mchl Posted March 1, 2009 Share Posted March 1, 2009 You probably use stripslashes when retrieving data. Quote Link to comment Share on other sites More sharing options...
jackpf Posted March 1, 2009 Share Posted March 1, 2009 You probably use stripslashes when retrieving data. No. lol. This is exactly it, and I don't use anything to manipulate it whilst extracting it- addslashes(mysql_real_escape_string(htmlspecialchars($_POST['username']))); Quote Link to comment Share on other sites More sharing options...
trq Posted March 1, 2009 Share Posted March 1, 2009 You mean.... $_POST["username"] = addslashes(mysql_real_escape_string(htmlspecialchars($_POST["username"]))); ? Quote Link to comment Share on other sites More sharing options...
jackpf Posted March 1, 2009 Share Posted March 1, 2009 No, $username = addslashes(mysql_real_escape_string(htmlspecialchars($_POST['username']))); I've changed it now anyway Quote Link to comment Share on other sites More sharing options...
Mchl Posted March 1, 2009 Share Posted March 1, 2009 Maybe you're just lucky then, and don't get any special chars in your data Well... it's a bit strange what you say... Let's take the exemplary string "O'Reilly" Passing it through mysql_real_escape_string gives "O\'Reilly" Passing this through addslashes gives "O\\\'Reilly" Quote Link to comment Share on other sites More sharing options...
jackpf Posted March 1, 2009 Share Posted March 1, 2009 Tbh, it's probably just because I don't have many Irish people on my site Come to think about it, I don't actually have anyone with escapeable chars in their username. But if I hadn't happened to have stumbled across this thread, I'd wouldn't have learnt of the errors of my ways! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.