robert_gsfame Posted November 18, 2009 Share Posted November 18, 2009 I never use mysql_real_escape_string before as i'm still new to php so i always use mysql_query instead of mysql_real_escape_string Can anyone help me on how to use it? Is it the same as when using mysql_query $username=$_SESSION['username']; $password=$_SESSION['password']; query = sprintf("SELECT * FROM table1 WHERE username='%s' AND password='%s'", mysql_real_escape_string($username), mysql_real_escape_string($password)); $sql=mysql_query($query); does the code above written correctly? then where should i put mysql_real_escape_string??in all query and when using $_POST and $_GET?? Last question, is mysql_real_escape_string must be connected to get_magic_quotes_gpc(), stripslashes to make my webpage safer?? thanks in advance Link to comment https://forums.phpfreaks.com/topic/181965-prevent-sql-injection-attacks/ Share on other sites More sharing options...
mikesta707 Posted November 18, 2009 Share Posted November 18, 2009 yes, that code is correct actually. all mysql_escape_string() does is escape characters that are special in mysql. for example, the ' character is commonly used in sql injections that don't escape it. add_slashes() does a similar thing, but its best to used the functions that were made specially for the database (for example mysql_escape_string() for mysql or pg_escape_string() for postgresql) magic_quotes_gpc() is a setting in php.ini that, when set to on, automatically escapes all POST and GET data (using addslashes()) this can cause problems when you use mysql_escape_string() or other escaping functions because you can end up double escaping things. Strip slashes would undo whatever magic_quotes_gpc() does, and you can then apply the arguably better mysql_escape_string() function (if you have a mysql database) to your string. it would be something like so //magic quotes gpc ON $data = $_POST['data'];//already escapes $data = stripslashes($data);//undid escape; $data = mysql_real_escape_string($data);//better escape //do whatever However, when you have magic quotes gpc set to off, you can simply do what you did in your example Link to comment https://forums.phpfreaks.com/topic/181965-prevent-sql-injection-attacks/#findComment-959799 Share on other sites More sharing options...
robert_gsfame Posted November 18, 2009 Author Share Posted November 18, 2009 $username=$_POST['username']; $password=$_POST['password']; query = sprintf("SELECT * FROM table1 WHERE username='%s' AND password='%s'", mysql_real_escape_string($username), mysql_real_escape_string($password)); $sql=mysql_query($query); So using mysql_real_escape_string() is enough ??Above code is quite safe enough?? or maybe you could alter something so that become safer?? Link to comment https://forums.phpfreaks.com/topic/181965-prevent-sql-injection-attacks/#findComment-959800 Share on other sites More sharing options...
Stephen Posted November 18, 2009 Share Posted November 18, 2009 You could replace: $username=$_POST['username']; $password=$_POST['password']; With: $username=get_magic_quotes_gpc() ? stripslashes($_POST['username']) : $_POST['username']; $password=get_magic_quotes_gpc() ? stripslashes($_POST['password']) : $_POST['password']; To make sure slashes have not already been added. Also, you forgot to put $ before your variable name for the "query" variable. Link to comment https://forums.phpfreaks.com/topic/181965-prevent-sql-injection-attacks/#findComment-959804 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.