the-botman Posted September 14, 2012 Share Posted September 14, 2012 how do i add mysql_real_escape in this statment? $SqlResult = MySqlSelect("Select * From cpanel_users WHERE Usr_Username='".$Post_Username."'"); Quote Link to comment https://forums.phpfreaks.com/topic/268381-mysql-real-escape/ Share on other sites More sharing options...
floridaflatlander Posted September 14, 2012 Share Posted September 14, 2012 I don't do it like that but it may be $q = "Select * From cpanel_users WHERE Usr_Username= {mysqli_real_escape_string($dbc, $Post_Username)}"; This should be close to it. edited mysqli_real_escape_string after post below Quote Link to comment https://forums.phpfreaks.com/topic/268381-mysql-real-escape/#findComment-1377957 Share on other sites More sharing options...
shlumph Posted September 14, 2012 Share Posted September 14, 2012 Do you mean mysql_real_escape_string? Wrap it. mysql_real_escape_string($Post_Username) More notes here, included suggested alternatives since mysql_* has become outdated. http://php.net/manual/en/function.mysql-real-escape-string.php Quote Link to comment https://forums.phpfreaks.com/topic/268381-mysql-real-escape/#findComment-1377958 Share on other sites More sharing options...
the-botman Posted September 15, 2012 Author Share Posted September 15, 2012 how would i wrap it in that statment? Quote Link to comment https://forums.phpfreaks.com/topic/268381-mysql-real-escape/#findComment-1378078 Share on other sites More sharing options...
PFMaBiSmAd Posted September 15, 2012 Share Posted September 15, 2012 See Example 1 at the php.net link that shlumph posted. The most general purpose way is to use sprintf since it separates the php syntax as much as possible from the sql syntax. It's also very similar to how you would form a query using prepared statements, so when you are ready to move onto that step, things will already look familiar. Quote Link to comment https://forums.phpfreaks.com/topic/268381-mysql-real-escape/#findComment-1378080 Share on other sites More sharing options...
9997 Posted September 17, 2012 Share Posted September 17, 2012 You could even do something as simple as this. $Post_Username = mysql_real_escape_string($Post_Username); $SqlResult = MySqlSelect("SELECT * From `cpanel_users` WHERE `Usr_Username`='{$Post_Username}'"); Quote Link to comment https://forums.phpfreaks.com/topic/268381-mysql-real-escape/#findComment-1378530 Share on other sites More sharing options...
jazzman1 Posted September 17, 2012 Share Posted September 17, 2012 As @PFMaBiSmAd mentioned above using sprintf - http://en.wikipedia.org/wiki/SQL_injection (take a look at Escaping ) Example: $query = sprintf("SELECT * FROM `Users` WHERE UserName='%s' AND Password='%s'", mysql_real_escape_string($Username), mysql_real_escape_string($Password)); mysql_query($query); Best way to prevent SQL injection is prepared statements and parametrical queries, using PDO or mysqli. Quote Link to comment https://forums.phpfreaks.com/topic/268381-mysql-real-escape/#findComment-1378560 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.