Jump to content

Recommended Posts

You shouldn't be running mysql_real_escape_string on a variable unless it is going into a query. Running it on everything like that causes as many problems (or more) as it solves. As you pointed out, you have to undo it when you want to output the variable to the screen, just as one example.

 

if you want to avoid typing out mysql_real_escape_string a bunch of times, wrap up your escaping into another function with a shorter name. Maybe do a sprintf() like function.

 

untested example:

function prep_query(/*...*/){
   $args = func_get_args();
   foreach ($args as $i=>$v){
     if ($i==0) continue; //skip sql text

     if (get_magic_quotes_gpc()) $v=stripslashes($v);     
     $args[$i] = mysql_real_escape_string($v);
   }

   return call_user_func_array('sprintf', $args);
}

echo prep_query("SELECT * FROM blah WHERE username='%s' AND IsSomething=%d", $_GET['username'], $_GET['something']);
Link to comment
https://forums.phpfreaks.com/topic/278010-php-batch-security/#findComment-1430135
Share on other sites

I would use mysqli or PDO, much easier and you don't have all the looping and other craziness:

$stmt = mysqli_prepare($link, "SELECT `column` FROM `table` WHERE `field`=?");
mysqli_stmt_bind_param($stmt, "s", $_GET['something']);
mysqli_stmt_execute($stmt);

Or something as simple as:

$_GET = array_map('mysql_real_escape_string', $_GET);
Link to comment
https://forums.phpfreaks.com/topic/278010-php-batch-security/#findComment-1430308
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.