Jump to content

mysql_real_escape_string vs my code


runnerjp

Recommended Posts

Ok i have come across this function...

 

function check_input($data)
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}

 

Would this have any other advantages then mysql_real_escape_string ??

Link to comment
Share on other sites

It has no advantages OVER mysql_real_escape_string() but it does help, depending on what you're trying to achieve.

 

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

 

mysql_real_escape_string() prevents SQL-Injections, however, things such as htmlspecialchars() can help prevent Cross-site scripting.

 

Do you see the difference?

Link to comment
Share on other sites

so if i did this

 

function check_input($data)
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    $data = mysql_real_escape_string($data) ;
    return $data;
}

 

would that work to prevent both sql and cross site??

 

mysql_real_escape_string()

Link to comment
Share on other sites

Why do you feel the need to call trim, stripslashes and htmlspecialchars on the input?  You seem to be confusing a couple of things, or trying to do everything in one place.  In particular, htmlspecialchars has no place being anywhere near input... why would anyone want to store all input data as HTML-encoded strings? Sure, it can be useful when outputting data (in this case, from the database).

 

Back to the original question, the only advantage would be towards an attacker looking for an easy way into your site.  :(

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.