Jump to content


Photo

real escape string


  • Please log in to reply
4 replies to this topic

#1 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 23 October 2006 - 08:19 PM

I am writing up a function, I can use on all variables before database entry.
It's definitely going to perform mysql_real_escape_string()
I had a few questions about it first.
I have been using it awhile but never really saw anything beyond what they say on php.net

1. I know it escape's some things but does it escape everything that addslashes does.  Everything?
2. When it comes down to the functionality, is there anything safety related that mysql_real_escape_string doesn't do.  Meaning are there other function's I can run a variable through along with mysql_real_escape_string() to make them even safer?  If so like what?

3. Would mysql_real_escape_string allow html to get put through, the reason I am wondering, is I am going to have 2 functions.  One will just purge anything bad from it, the secnod is also going to strip all xhtml, css, and check for php programming, or javascript.  It's goign to test the variable for a lot, to make sure it's not got anything in it.  I was wondering though does mysql_real_escape_string do this, or wuold I have to do all of that seperate.  Because i wanted my one function to be ran through mysql_real_escape_string and whateverelse you suggets, but I wanted to be able to store xhtml or whatever else in the db
when it come's to another function I would take care of all of that.
Any advice/feedback would be appreciated.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#2 redbullmarky

redbullmarky
  • Staff Alumni
  • Advanced Member
  • 2,863 posts
  • LocationBedfordshire, England

Posted 23 October 2006 - 10:09 PM

i'd post a handful of stuff/links, but a quick google search bring up some better explained reasons, all on page 1:
http://www.google.co...g vs addslashes
"you have to keep pissing in the wind to learn how to keep your shoes dry..."

I say old chap, that is rather amusing!

#3 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 23 October 2006 - 10:26 PM

I was already fully aware of that specific point.  The thing I was wondering, whether someone use's mysql_real_escape_string or addslashes is subject to opinion it seems most of the time.
What I was wondering is, aside from whether you choose
A. mysql_real_escape_string()
B. add_slashes()
is there something else, or some other things you can use along with A or B that can make it even safer? Than just using A or B alone.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#4 redbullmarky

redbullmarky
  • Staff Alumni
  • Advanced Member
  • 2,863 posts
  • LocationBedfordshire, England

Posted 23 October 2006 - 11:43 PM

again, the links on the google search i mentioned previously also discuss other issues and solutions - most notably the user comments that go with the articles. take another look.
"you have to keep pissing in the wind to learn how to keep your shoes dry..."

I say old chap, that is rather amusing!

#5 .josh

.josh
  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 24 October 2006 - 12:56 AM

<?php
function sanitize($value){
   if (get_magic_quotes_gpc()) { stripslashes($value); }
   if (!is_numeric($value)) { mysql_real_escape_string($value); }    
   return $value;
}

$blah = sanitize($blah);
?>

Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users