neex1233 Posted June 3, 2009 Share Posted June 3, 2009 I don't understand how you use it. Here are the scripts that I would like to use it one: <?php $con = mysql_connect("localhost","My_Username","Password"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("My_DB", $con); printf("Last inserted record has id %d\n", mysql_insert_id()); $sql="INSERT INTO users (id,username,password,userlevel) VALUES ('$_POST[id]','$_POST[username]','$_POST[password]','$_POST[userlevel]')"; if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } echo "<strong>User Added to Database!</strong>"; mysql_close($con) ?> <?php $con = mysql_connect("localhost","My_Username","Password"); mysql_select_db("My_DB", $con); $username = mysql_real_escape_string($_POST["username"]); if (isset($_POST['edit'])) { $sql = "UPDATE users SET username = '{$_POST['username']}', password = '{$_POST['password']}', userlevel = '{$_POST['userlevel']}' WHERE `username` = '$username' LIMIT 1"; mysql_query($sql) or die (mysql_error()); } ?> Also, how else could I make these scripts more secure? Thanks!! Quote Link to comment https://forums.phpfreaks.com/topic/160811-how-do-i-use-the-mysql_real_escape_string/ Share on other sites More sharing options...
Maq Posted June 3, 2009 Share Posted June 3, 2009 I don't understand how you use it. Here are the scripts that I would like to use it one: Just like you did in your second code excerpt, except in your query use '$username' rather than the POST variable. Quote Link to comment https://forums.phpfreaks.com/topic/160811-how-do-i-use-the-mysql_real_escape_string/#findComment-848731 Share on other sites More sharing options...
neex1233 Posted June 3, 2009 Author Share Posted June 3, 2009 Thanks! Would I use it on any of the other things in the second script? Quote Link to comment https://forums.phpfreaks.com/topic/160811-how-do-i-use-the-mysql_real_escape_string/#findComment-848746 Share on other sites More sharing options...
Maq Posted June 3, 2009 Share Posted June 3, 2009 Have you read about this function in the manual - mysql_real_escape_string? This function must always (with few exceptions) be used to make data safe before sending a query to MySQL. Quote Link to comment https://forums.phpfreaks.com/topic/160811-how-do-i-use-the-mysql_real_escape_string/#findComment-848751 Share on other sites More sharing options...
neex1233 Posted June 3, 2009 Author Share Posted June 3, 2009 I just read it. Quote Link to comment https://forums.phpfreaks.com/topic/160811-how-do-i-use-the-mysql_real_escape_string/#findComment-848767 Share on other sites More sharing options...
neex1233 Posted June 3, 2009 Author Share Posted June 3, 2009 I also learned that the protection script that I am using (X-Protection) is not secure :-\ So, now I guess I will work on making it secure. :'( Quote Link to comment https://forums.phpfreaks.com/topic/160811-how-do-i-use-the-mysql_real_escape_string/#findComment-848771 Share on other sites More sharing options...
akitchin Posted June 3, 2009 Share Posted June 3, 2009 I just read it. i can't count how many times reading the manual about a function solves a thread, and could have done so even before the thread was posted. i hope you've learned a lesson - the PHP manual is your friend. Quote Link to comment https://forums.phpfreaks.com/topic/160811-how-do-i-use-the-mysql_real_escape_string/#findComment-848775 Share on other sites More sharing options...
Maq Posted June 3, 2009 Share Posted June 3, 2009 I also learned that the protection script that I am using (X-Protection) is not secure :-\ So, now I guess I will work on making it secure. :'( There are a multitude of tools that you can get via plug-in for your browser (i.e. - SQL Inject ME), to test your applications with. Quote Link to comment https://forums.phpfreaks.com/topic/160811-how-do-i-use-the-mysql_real_escape_string/#findComment-848790 Share on other sites More sharing options...
neex1233 Posted June 3, 2009 Author Share Posted June 3, 2009 It says X-Protection is all secure, and only one of my scripts has errors (which I didn't finish yet). I guess I have a new version of it... Quote Link to comment https://forums.phpfreaks.com/topic/160811-how-do-i-use-the-mysql_real_escape_string/#findComment-848814 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.