neex1233 Posted June 3, 2009 Share Posted June 3, 2009 I don't understand how you use it. Here are the scripts that I would like to use it one: <?php $con = mysql_connect("localhost","My_Username","Password"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("My_DB", $con); printf("Last inserted record has id %d\n", mysql_insert_id()); $sql="INSERT INTO users (id,username,password,userlevel) VALUES ('$_POST[id]','$_POST[username]','$_POST[password]','$_POST[userlevel]')"; if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } echo "<strong>User Added to Database!</strong>"; mysql_close($con) ?> <?php $con = mysql_connect("localhost","My_Username","Password"); mysql_select_db("My_DB", $con); $username = mysql_real_escape_string($_POST["username"]); if (isset($_POST['edit'])) { $sql = "UPDATE users SET username = '{$_POST['username']}', password = '{$_POST['password']}', userlevel = '{$_POST['userlevel']}' WHERE `username` = '$username' LIMIT 1"; mysql_query($sql) or die (mysql_error()); } ?> Also, how else could I make these scripts more secure? Thanks!! Link to comment https://forums.phpfreaks.com/topic/160811-how-do-i-use-the-mysql_real_escape_string/ Share on other sites More sharing options...
Maq Posted June 3, 2009 Share Posted June 3, 2009 I don't understand how you use it. Here are the scripts that I would like to use it one: Just like you did in your second code excerpt, except in your query use '$username' rather than the POST variable. Link to comment https://forums.phpfreaks.com/topic/160811-how-do-i-use-the-mysql_real_escape_string/#findComment-848731 Share on other sites More sharing options...
neex1233 Posted June 3, 2009 Author Share Posted June 3, 2009 Thanks! Would I use it on any of the other things in the second script? Link to comment https://forums.phpfreaks.com/topic/160811-how-do-i-use-the-mysql_real_escape_string/#findComment-848746 Share on other sites More sharing options...
Maq Posted June 3, 2009 Share Posted June 3, 2009 Have you read about this function in the manual - mysql_real_escape_string? This function must always (with few exceptions) be used to make data safe before sending a query to MySQL. Link to comment https://forums.phpfreaks.com/topic/160811-how-do-i-use-the-mysql_real_escape_string/#findComment-848751 Share on other sites More sharing options...
neex1233 Posted June 3, 2009 Author Share Posted June 3, 2009 I just read it. Link to comment https://forums.phpfreaks.com/topic/160811-how-do-i-use-the-mysql_real_escape_string/#findComment-848767 Share on other sites More sharing options...
neex1233 Posted June 3, 2009 Author Share Posted June 3, 2009 I also learned that the protection script that I am using (X-Protection) is not secure :-\ So, now I guess I will work on making it secure. :'( Link to comment https://forums.phpfreaks.com/topic/160811-how-do-i-use-the-mysql_real_escape_string/#findComment-848771 Share on other sites More sharing options...
akitchin Posted June 3, 2009 Share Posted June 3, 2009 I just read it. i can't count how many times reading the manual about a function solves a thread, and could have done so even before the thread was posted. i hope you've learned a lesson - the PHP manual is your friend. Link to comment https://forums.phpfreaks.com/topic/160811-how-do-i-use-the-mysql_real_escape_string/#findComment-848775 Share on other sites More sharing options...
Maq Posted June 3, 2009 Share Posted June 3, 2009 I also learned that the protection script that I am using (X-Protection) is not secure :-\ So, now I guess I will work on making it secure. :'( There are a multitude of tools that you can get via plug-in for your browser (i.e. - SQL Inject ME), to test your applications with. Link to comment https://forums.phpfreaks.com/topic/160811-how-do-i-use-the-mysql_real_escape_string/#findComment-848790 Share on other sites More sharing options...
neex1233 Posted June 3, 2009 Author Share Posted June 3, 2009 It says X-Protection is all secure, and only one of my scripts has errors (which I didn't finish yet). I guess I have a new version of it... Link to comment https://forums.phpfreaks.com/topic/160811-how-do-i-use-the-mysql_real_escape_string/#findComment-848814 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.