jamesjmann Posted January 31, 2011 Author Share Posted January 31, 2011 Take your mysql_query string, and turn it into something like: $sql = sprintf("INSERT INTO mynews (user, title, message, type, url) VALUES ('%s', '%s', '%s', '%s', '%s')", mysql_real_escape_string($user), mysql_real_escape_string($title), mysql_real_escape_string($message), mysql_real_escape_string($type), mysql_real_escape_string($url)); $result = mysql_query($sql); As always Un-tested (may be a parse error). Okay, I replaced it with the code you gave me and everything still works. Now...what exactly does this piece of code do? I did some googling but didn't find out very much. All I gleaned was that it prevents database attacks by users exploiting your forms? Link to comment https://forums.phpfreaks.com/topic/226148-basic-commenting-system/page/2/#findComment-1167557 Share on other sites More sharing options...
jcbones Posted January 31, 2011 Share Posted January 31, 2011 It simply runs all your variables through a function that makes a string safe to interact with a database (mysql specifically). Otherwise people could rebuild your query to gain access to your database, and exploit your users, and/or destroy your tables. Link to comment https://forums.phpfreaks.com/topic/226148-basic-commenting-system/page/2/#findComment-1167565 Share on other sites More sharing options...
BlueSkyIS Posted January 31, 2011 Share Posted January 31, 2011 it may be important to note that if your server has magic_quotes turned on, there will be slashes added to the POST variables automatically. IF magic_quotes is turned on, you'll need to either turn off magic_quotes, or strip those slashes before using msyql_real_escape_string(), or you'll get double-slashes. Link to comment https://forums.phpfreaks.com/topic/226148-basic-commenting-system/page/2/#findComment-1167566 Share on other sites More sharing options...
BlueSkyIS Posted January 31, 2011 Share Posted January 31, 2011 in case it helps, here is a function i use for post'ed data function sqlSafe($in_string) { // determine automagically if (get_magic_quotes_gpc()) { $in_string = stripslashes($in_string); } return mysql_real_escape_string($in_string); } // After ensuring that $someval is a legitimate value... $someval = sqlSafe($someval); // insert/update data with $someval. Link to comment https://forums.phpfreaks.com/topic/226148-basic-commenting-system/page/2/#findComment-1167568 Share on other sites More sharing options...
jamesjmann Posted January 31, 2011 Author Share Posted January 31, 2011 in case it helps, here is a function i use for post'ed data function sqlSafe($in_string) { // determine automagically if (get_magic_quotes_gpc()) { $in_string = stripslashes($in_string); } return mysql_real_escape_string($in_string); } // After ensuring that $someval is a legitimate value... $someval = sqlSafe($someval); // insert/update data with $someval. Where would this code be inserted in the script I posted? Link to comment https://forums.phpfreaks.com/topic/226148-basic-commenting-system/page/2/#findComment-1167924 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.