Ninjakreborn Posted October 23, 2006 Share Posted October 23, 2006 I am writing up a function, I can use on all variables before database entry.It's definitely going to perform mysql_real_escape_string()I had a few questions about it first.I have been using it awhile but never really saw anything beyond what they say on php.net1. I know it escape's some things but does it escape everything that addslashes does. Everything?2. When it comes down to the functionality, is there anything safety related that mysql_real_escape_string doesn't do. Meaning are there other function's I can run a variable through along with mysql_real_escape_string() to make them even safer? If so like what?3. Would mysql_real_escape_string allow html to get put through, the reason I am wondering, is I am going to have 2 functions. One will just purge anything bad from it, the secnod is also going to strip all xhtml, css, and check for php programming, or javascript. It's goign to test the variable for a lot, to make sure it's not got anything in it. I was wondering though does mysql_real_escape_string do this, or wuold I have to do all of that seperate. Because i wanted my one function to be ran through mysql_real_escape_string and whateverelse you suggets, but I wanted to be able to store xhtml or whatever else in the dbwhen it come's to another function I would take care of all of that.Any advice/feedback would be appreciated. Quote Link to comment https://forums.phpfreaks.com/topic/24873-real-escape-string/ Share on other sites More sharing options...
redbullmarky Posted October 23, 2006 Share Posted October 23, 2006 i'd post a handful of stuff/links, but a quick google search bring up some better explained reasons, all on page 1:http://www.google.co.uk/search?hl=en&q=mysql_real_escape_string+vs+addslashes Quote Link to comment https://forums.phpfreaks.com/topic/24873-real-escape-string/#findComment-113395 Share on other sites More sharing options...
Ninjakreborn Posted October 23, 2006 Author Share Posted October 23, 2006 I was already fully aware of that specific point. The thing I was wondering, whether someone use's mysql_real_escape_string or addslashes is subject to opinion it seems most of the time.What I was wondering is, aside from whether you chooseA. mysql_real_escape_string()B. add_slashes()is there something else, or some other things you can use along with A or B that can make it even safer? Than just using A or B alone. Quote Link to comment https://forums.phpfreaks.com/topic/24873-real-escape-string/#findComment-113408 Share on other sites More sharing options...
redbullmarky Posted October 23, 2006 Share Posted October 23, 2006 again, the links on the google search i mentioned previously also discuss other issues and solutions - most notably the user comments that go with the articles. take another look. Quote Link to comment https://forums.phpfreaks.com/topic/24873-real-escape-string/#findComment-113423 Share on other sites More sharing options...
.josh Posted October 24, 2006 Share Posted October 24, 2006 [code]<?phpfunction sanitize($value){ if (get_magic_quotes_gpc()) { stripslashes($value); } if (!is_numeric($value)) { mysql_real_escape_string($value); } return $value;}$blah = sanitize($blah);?>[/code] Quote Link to comment https://forums.phpfreaks.com/topic/24873-real-escape-string/#findComment-113440 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.