Jump to content

Basic Commenting System

jamesjmann

By jamesjmann
in PHP Coding Help

 Share

Recommended Posts

jamesjmann Regular Member

jamesjmann

Posted
  • Author
Posted

Take your mysql_query string, and turn it into something like:

$sql = sprintf("INSERT INTO mynews (user, title, message, type, url)
VALUES ('%s', '%s', '%s', '%s', '%s')",
mysql_real_escape_string($user),
mysql_real_escape_string($title),
mysql_real_escape_string($message),
mysql_real_escape_string($type),
mysql_real_escape_string($url));
$result = mysql_query($sql);

 

As always Un-tested (may be a parse error).

 

Okay, I replaced it with the code you gave me and everything still works. Now...what exactly does this piece of code do? I did some googling but didn't find out very much. All I gleaned was that it prevents database attacks by users exploiting your forms?

jcbones Newbie

jcbones

Posted
Posted

It simply runs all your variables through a function that makes a string safe to interact with a database (mysql specifically).  Otherwise people could rebuild your query to gain access to your database, and exploit your users, and/or destroy your tables.

BlueSkyIS Newbie

BlueSkyIS

Posted
Posted

it may be important to note that if your server has magic_quotes turned on, there will be slashes added to the POST variables automatically. IF magic_quotes is turned on, you'll need to either turn off magic_quotes, or strip those slashes before using msyql_real_escape_string(), or you'll get double-slashes.

BlueSkyIS Newbie

BlueSkyIS

Posted
Posted

in case it helps, here is a function i use for post'ed data

 

function sqlSafe($in_string) {
// determine automagically
if (get_magic_quotes_gpc()) {
	$in_string = stripslashes($in_string);
}
return mysql_real_escape_string($in_string);
}

// After ensuring that $someval is a legitimate value...
$someval = sqlSafe($someval);

// insert/update data with $someval.

jamesjmann Regular Member

jamesjmann

Posted
  • Author
Posted

in case it helps, here is a function i use for post'ed data

 

function sqlSafe($in_string) {
// determine automagically
if (get_magic_quotes_gpc()) {
	$in_string = stripslashes($in_string);
}
return mysql_real_escape_string($in_string);
}

// After ensuring that $someval is a legitimate value...
$someval = sqlSafe($someval);

// insert/update data with $someval.

 

Where would this code be inserted in the script I posted?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.