Jump to content

mysql_real_escape_string Use

Mutley

By Mutley
in PHP Coding Help

Recommended Posts

Mutley Advanced Member

Mutley

Posted
  • Author
Posted
So where I post the form info like:

[code]$abc = $_POST['abc'];
$abc2 = $_POST['abc2'];
$abc3 = $_POST['abc3'];[/code]

I would do:
[code]$abc = $_POST['abc'];
mysql_real_escape_string($abc)
$abc2 = $_POST['abc2'];
mysql_real_escape_string($abc2)
$abc3 = $_POST['abc3'];
mysql_real_escape_string($abc3)[/code]

...or can I simply do it on the query:
[code]$sql = "Insert into...."
mysql_real_escape_string($sql)[/code]

What happens if it detects a malicious code? Does it echo anything or display anything?
obsidian Member

obsidian

Posted
Posted
First, we better define what "malicious code" is and how it is detected. mysql_real_escape_string() simply fully escapes a string for safe insertion into a MySQL database. So, to oversimplify, it helps escape all the floating quotes within text that may cause a query to end prematurely. This alone is not enough to avoid [i]malicious code[/i]. People could insert HTML or even javascript into a form on your page and cause real problems as well. So, be sure you account for these things as well. To answer your specific question, be aware that the function [b]returns the string passed once it has been escaped[/b], so you want to assign the results to the variable you will be using:
[code]
<?php
$abc = mysql_real_escape_string($_POST['abc']);
?>
[/code]

Often, I'll actually create a function that will loop through all my $_POST variables and prepare them all individually so I don't have to deal with them:
[code]
<?php
function cleanPost() {
  foreach ($_POST as $key => $val) {
    $val = strip_tags($val);
    $val = mysql_real_escape_string($val);
    $_POST[$key] = $val;
  }
}
?>
[/code]

Hope this makes sense.
obsidian Member

obsidian

Posted
Posted
Yes, if you include that function declaration within your scripts, you can clean all $_POST variables with one function call. To answer your second question, check out the manual for [url=http://www.php.net/strip_tags]strip_tags()[/url] for specifics, but it simply removes [b]all[/b] HTML tags by default. It will allow you to specify which tags you want to allow. This helps because it also removes all <script> tags.
obsidian Member

obsidian

Posted
Posted
[quote author=Mutley link=topic=120021.msg492135#msg492135 date=1167237215]
How do I stop the cleanPost() function on certain $_POST ? I have parts I do and don't want to strip_tags.
[/quote]
Just modify your function to accept exceptions. Something like this usually works for me. You pass in an array of field names you want the function to skip over:
[code]
<?php
function cleanPost($exceptions = array()) {
  foreach ($_POST as $key => $val) {
    if (!in_array($key, $exceptions)) {
      $val = strip_tags($val);
    }
    $val = mysql_real_escape_string();
    $_POST[$key] = $val;
  }
}
?>
[/code]

Hope this makes sense.
obsidian Member

obsidian

Posted
Posted
[quote author=Mutley link=topic=120021.msg492352#msg492352 date=1167262881]
So in the array something like:

[code]array($_GET['this'];, $_GET['that'];)[/code]
[/quote]

Actually, you only need the actual key names of the ones you want left out:
[code]
<?php
// This will skip over $_POST['this'] and $_POST['that']
$exceptions = array('this', 'that');
cleanPost($exceptions);
?>
[/code]
  • 2 weeks later...

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.