Jump to content

Archived

This topic is now archived and is closed to further replies.

Ninjakreborn

real escape string

Recommended Posts

I am writing up a function, I can use on all variables before database entry.
It's definitely going to perform mysql_real_escape_string()
I had a few questions about it first.
I have been using it awhile but never really saw anything beyond what they say on php.net

1. I know it escape's some things but does it escape everything that addslashes does.  Everything?
2. When it comes down to the functionality, is there anything safety related that mysql_real_escape_string doesn't do.  Meaning are there other function's I can run a variable through along with mysql_real_escape_string() to make them even safer?  If so like what?

3. Would mysql_real_escape_string allow html to get put through, the reason I am wondering, is I am going to have 2 functions.  One will just purge anything bad from it, the secnod is also going to strip all xhtml, css, and check for php programming, or javascript.  It's goign to test the variable for a lot, to make sure it's not got anything in it.  I was wondering though does mysql_real_escape_string do this, or wuold I have to do all of that seperate.  Because i wanted my one function to be ran through mysql_real_escape_string and whateverelse you suggets, but I wanted to be able to store xhtml or whatever else in the db
when it come's to another function I would take care of all of that.
Any advice/feedback would be appreciated.

Share this post


Link to post
Share on other sites
i'd post a handful of stuff/links, but a quick google search bring up some better explained reasons, all on page 1:
http://www.google.co.uk/search?hl=en&q=mysql_real_escape_string+vs+addslashes

Share this post


Link to post
Share on other sites
I was already fully aware of that specific point.  The thing I was wondering, whether someone use's mysql_real_escape_string or addslashes is subject to opinion it seems most of the time.
What I was wondering is, aside from whether you choose
A. mysql_real_escape_string()
B. add_slashes()
is there something else, or some other things you can use along with A or B that can make it even safer? Than just using A or B alone.

Share this post


Link to post
Share on other sites
again, the links on the google search i mentioned previously also discuss other issues and solutions - most notably the user comments that go with the articles. take another look.

Share this post


Link to post
Share on other sites
[code]
<?php
function sanitize($value){
  if (get_magic_quotes_gpc()) { stripslashes($value); }
  if (!is_numeric($value)) { mysql_real_escape_string($value); }   
  return $value;
}

$blah = sanitize($blah);
?>
[/code]

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.