floridaflatlander Posted April 18, 2011 Share Posted April 18, 2011 I was checking my inputs and found out my mysql_real_escape_string() wasn't working and how little I new about mysql_real_escape_string(). Is mysql_real_escape_string() just suppose to add slashes ex from this ( ' ) to this ( \' ) ? or is it suppose to be more disruptive? Also what format should it be in ? When I have this, everything goes to my database and when I add ''Or''='' I can mess up stuff in my form display // $discrip = ($_POST ['discrip']); $discrip = mysqli_real_escape_string($db, trim($discrip)); When I have this It seems to work but takes everything out not leaving \'\'OR\'\'==\'\' So if I put 1 <img src="images/bass_031611.jpg" /> 2 <?php ?> 3 '' OR ''='' into my UPDATE all of it gets taken out $discrip = ($_POST ['discrip']); mysqli_real_escape_string($db, trim($discrip)); Most books I have give the example of: $discrip = mysqli_real_escape_string($db, trim($discrip)); Not mysqli_real_escape_string($db, trim($discrip)); I have php 5.3 on xampp Thanks in advance S Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted April 18, 2011 Share Posted April 18, 2011 This code does nothing useful: $discrip = ($_POST ['discrip']); mysqli_real_escape_string($db, trim($discrip)); The result of the function must be reassigned to be usable. $discrip = ($_POST ['discrip']); $discrip = mysqli_real_escape_string($db, trim($discrip)); Quote Link to comment Share on other sites More sharing options...
floridaflatlander Posted April 18, 2011 Author Share Posted April 18, 2011 Thanks for the reply. True mysqli_real_escape_string($db, trim($discrip)); does nothing while $discrip = mysqli_real_escape_string($db, trim($discrip)); lets info be entered. Is mysql_real_escape_string() just suppose to add slashes ex from this ( ' ) to this ( \' ) ? or is it suppose to be more disruptive? What does mysqli_real_escape_string() do ? I've been using UPDATE and mysqli_real_escape_string() to edit records with <img src="images/10_bass_031611-2_2242.jpg" /> <?php echo 'me'; ?> '' OR ''='' \n and all of it seems to go in my database just like I enter it. Thanks Quote Link to comment Share on other sites More sharing options...
jcbones Posted April 18, 2011 Share Posted April 18, 2011 It tells the database to escape the data, then drop the slashes when it enters the text. This will leave the text in the database, just like it was entered, all the while slightly protecting you from injection attacks. For instance try inserting this string into your database with and without the mysqli_real_escape_string(). ' OR ' You will find vast differences in the actions of the database. Note, in an edit situation, this will simple input the string into the database with the function. Without the function will trigger an error, that will allow for someone to further manipulate you database, because they now have a table name and a column names (if your errors are sent to the page output). Quote Link to comment Share on other sites More sharing options...
floridaflatlander Posted April 19, 2011 Author Share Posted April 19, 2011 Thanks for the reply I must be doing something wrong because I don't see any difference in the database at all.. If is use ' OR ' or <img src="images/10_bass_031611-2_2242.jpg" /> <?php echo 'me'; ?> '' OR ''='' \n People will be entering text in this area of a table so strip_tags would get rid of photos and stuff like that. But does that still leave stuff like sql injection problems when I don't see any difference in stuff like ''OR''='' and ' OR ' Thanks Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted April 19, 2011 Share Posted April 19, 2011 The slashes don't actually get inserted in the database. They only serve to indicate that the character that follows is a to be interpreted as a string literal, rather than a control character. mysql_real_escape_string <--- manual page. Quote Link to comment Share on other sites More sharing options...
floridaflatlander Posted April 19, 2011 Author Share Posted April 19, 2011 Yes I saw that and to me From php.net: mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. Means that \n should be \\n and ' should be \' in my database. Anyway as long as it works. Thanks to everyone Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted April 19, 2011 Share Posted April 19, 2011 Yes, PHP prepends a backslash. If you echo the escaped value, you'll see the backslash. When the query is passed to the db, MySQL uses that backslash as an indicator, and doesn't insert it in the DB. Quote Link to comment Share on other sites More sharing options...
floridaflatlander Posted April 19, 2011 Author Share Posted April 19, 2011 Yes it does, cool and thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.