mysql real escape

[the-botman]

how do i add mysql_real_escape in this statment?

$SqlResult = MySqlSelect("Select * From cpanel_users WHERE Usr_Username='".$Post_Username."'");

[floridaflatlander]

I don't do it like that but it may be

 

$q = "Select * From cpanel_users WHERE Usr_Username= {mysqli_real_escape_string($dbc, $Post_Username)}";

 

This should be close to it.

 

edited mysqli_real_escape_string after post below

[shlumph]

Do you mean mysql_real_escape_string? Wrap it. mysql_real_escape_string($Post_Username)

 

More notes here, included suggested alternatives since mysql_* has become outdated.

http://php.net/manual/en/function.mysql-real-escape-string.php

[the-botman]

how would i wrap it in that statment?

[PFMaBiSmAd]

See Example 1 at the php.net link that shlumph posted.

 

The most general purpose way is to use sprintf since it separates the php syntax as much as possible from the sql syntax. It's also very similar to how you would form a query using prepared statements, so when you are ready to move onto that step, things will already look familiar.

[9997]

You could even do something as simple as this.

 

$Post_Username = mysql_real_escape_string($Post_Username);
$SqlResult = MySqlSelect("SELECT * From `cpanel_users` WHERE `Usr_Username`='{$Post_Username}'");

[jazzman1]

As @PFMaBiSmAd mentioned above using sprintf - http://en.wikipedia.org/wiki/SQL_injection (take a look at Escaping )

Example:

$query = sprintf("SELECT * FROM `Users` WHERE UserName='%s' AND Password='%s'",
                  mysql_real_escape_string($Username),
                  mysql_real_escape_string($Password));
mysql_query($query);

 

Best way to prevent SQL injection is prepared statements and parametrical queries, using PDO or mysqli.