cbaker007 Posted August 22, 2012 Share Posted August 22, 2012 I am really confused... My site is hosted by a large ISP who controls the version of MySQL and PHP. I a novice PHP / MySQL programmer. I am have a much deeper knowledge of HTML but am doing more and more with PHP and MySQL. I have been using a book called "PHP and MySQL Web Development" from 2009. That book tells me that I should "escape" all text user input fields using a set of "magic_quotes_gpc" commands. But after having problems implementing these "magic_quotes" in my code, after looking at the official PHP manual online, it says that these "magic_quotes" command are not only depreciated, but are actually removed from the most recent versions. It is my understanding that I needed to run these commands to "escape" any characters (like quote, single quote, comma, &, etc) that might cause a security issue (somoene compromises SQL commands by encapsulating these characters in user input). So I don't know what to do now if these are no longer used. What is the correct way to "escape" user input? I have input that will have these type of characters in it so I want to preserve it ... (database of Presentations and users will have these characters in their Presentation Title, Presentation Description, etc) What is the appropriate way to handle this type of input if my book is wrong and "magic_quotes" are not long used? Quote Link to comment https://forums.phpfreaks.com/topic/267445-escaping-user-input/ Share on other sites More sharing options...
Christian F. Posted August 22, 2012 Share Posted August 22, 2012 Burn that book. Immediately. Magic quotes has always been a bad idea, and as such have been removed from PHP a long time ago. Pretty sure this was a long time before 2009 too, even if I can't remember the exact year. What you're looking for is either mysqli::real_escape_string () or Prepared Statements, when it comes to MySQL queries. For other systems, it is highly dependent upon the system you're sending the output to. HTML uses htmlspecialchars (), shell uses escapeshellarg () and Regular Expressions uses preg_quote (). To mention a few. PS: That book is almost certainly telling you to use the mysql_* () functions. They are now deprecated, and as such you should look into PDO or MySQLi instead. Both are explained in the PHP manual. Quote Link to comment https://forums.phpfreaks.com/topic/267445-escaping-user-input/#findComment-1371579 Share on other sites More sharing options...
cbaker007 Posted August 22, 2012 Author Share Posted August 22, 2012 My confusion was compounded when I had read that the "get_magic_quotes_gpc" and "put_magic..." had been depreciated and I had run across the commands someone was suggesting called "mysql_real_escape_string". But as I dug into those online, I found them in the PHP online manual and they reference as being depleted and referenced back to the "get_magic_quotes_gpc"... I was lost. Okay, so it sounds like "mysqli_" is the latest way to go. Okay, so I can take user input and before saving it via a MySQL "insert query" do something like: $ptitle = mysqli_real_escape_string($con, $ptitle); where $con is my connection to my database. But how do I use that data when I read it? In other words, how do I strip the extra characters and use it as originally entered in an email or an Excel export? Quote Link to comment https://forums.phpfreaks.com/topic/267445-escaping-user-input/#findComment-1371621 Share on other sites More sharing options...
Christian F. Posted August 23, 2012 Share Posted August 23, 2012 Those extra characters disappear when the database parses the input, as they're used to remove any special meaning from any meta-characters that might be contained within. Input validation and output escaping are two very complicated subjects, which needs a lot time to explain. So I suggest that you read a few articles about them, and I think that there are some in the library here. Quote Link to comment https://forums.phpfreaks.com/topic/267445-escaping-user-input/#findComment-1371652 Share on other sites More sharing options...
Monkuar Posted August 23, 2012 Share Posted August 23, 2012 I am really confused... My site is hosted by a large ISP who controls the version of MySQL and PHP. I a novice PHP / MySQL programmer. I am have a much deeper knowledge of HTML but am doing more and more with PHP and MySQL. I have been using a book called "PHP and MySQL Web Development" from 2009. That book tells me that I should "escape" all text user input fields using a set of "magic_quotes_gpc" commands. But after having problems implementing these "magic_quotes" in my code, after looking at the official PHP manual online, it says that these "magic_quotes" command are not only depreciated, but are actually removed from the most recent versions. It is my understanding that I needed to run these commands to "escape" any characters (like quote, single quote, comma, &, etc) that might cause a security issue (somoene compromises SQL commands by encapsulating these characters in user input). So I don't know what to do now if these are no longer used. What is the correct way to "escape" user input? I have input that will have these type of characters in it so I want to preserve it ... (database of Presentations and users will have these characters in their Presentation Title, Presentation Description, etc) What is the appropriate way to handle this type of input if my book is wrong and "magic_quotes" are not long used? Just cast them properly, numbers should be intval and check if the intval number is negative too. strings/text, u need use what ChristianF said. good luck Quote Link to comment https://forums.phpfreaks.com/topic/267445-escaping-user-input/#findComment-1371654 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.