Jump to content


Photo

mysql_escape_string() help


  • Please log in to reply
2 replies to this topic

#1 tbobker

tbobker
  • Members
  • PipPip
  • Member
  • 10 posts

Posted 30 October 2006 - 08:56 PM

<?php

	if(isset($_POST['submit'])) {

		$first = $_POST['fname'];
		$last = $_POST['lname'];
		$address = $_POST['address'];
		$email = $_POST['email'];
		$pcode = $_POST['pcode'];
		$country = $_POST['country'];
		$comment = $_POST['comment'];

		$conn = mysql_connect("localhost","","");
		mysql_select_db("",$conn);

		$sql = "insert into petition values ('','','$first','$last','$address','$email','$pcode','$country','$comment');";
		$result = mysql_query($sql,$conn);

		$sql2 = "select id from petition";
		$result2 = mysql_query($sql2,$conn);
		$num_rows = mysql_num_rows($result2);

		


		echo "<div height='300px'><h1>Thankyou for signing the petition</h1><br>".$first."&nbsp;".$last." you have made a positive step forward</div>";
		echo "<br><h2>You are person&nbsp;<span style='color: red'>".$num_rows."</span>";

	}else { echo '

i need to mysql_escape_string() the values but i dont know how to do it with multiple values?

#2 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 30 October 2006 - 09:13 PM

What do you mean by "do it with multiple values";

In this case, you can do:
<?php
	if(isset($_POST['submit'])) {

		$first = mysql_real_escape_string($_POST['fname']);
		$last = mysql_real_escape_string($_POST['lname']);
		$address = mysql_real_escape_string($_POST['address']);
		$email = mysql_real_escape_string($_POST['email']);
		$pcode = mysql_real_escape_string($_POST['pcode']);
		$country = mysql_real_escape_string($_POST['country']);
		$comment = mysql_real_escape_string($_POST['comment']);

		$conn = mysql_connect("localhost","","");
		mysql_select_db("",$conn);

		$sql = "insert into petition values ('','','$first','$last','$address','$email','$pcode','$country','$comment');";
		$result = mysql_query($sql,$conn);

		$sql2 = "select id from petition";
		$result2 = mysql_query($sql2,$conn);
		$num_rows = mysql_num_rows($result2);

		


		echo "<div height='300px'><h1>Thankyou for signing the petition</h1><br>".$first."&nbsp;".$last." you have made a positive step forward</div>";
		echo "<br><h2>You are person&nbsp;<span style='color: red'>".$num_rows."</span>";

	}?>

Ken

#3 tbobker

tbobker
  • Members
  • PipPip
  • Member
  • 10 posts

Posted 31 October 2006 - 11:43 AM

Thanks that has helped and will this stop any sql injection attempts by escaping with the \?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users