Jump to content

mysql_real_escape_string Use

Mutley

By Mutley
in PHP Coding Help

 Share

Recommended Posts

Mutley Advanced Member

Mutley

Posted
  • Author
Posted
So where I post the form info like:

[code]$abc = $_POST['abc'];
$abc2 = $_POST['abc2'];
$abc3 = $_POST['abc3'];[/code]

I would do:
[code]$abc = $_POST['abc'];
mysql_real_escape_string($abc)
$abc2 = $_POST['abc2'];
mysql_real_escape_string($abc2)
$abc3 = $_POST['abc3'];
mysql_real_escape_string($abc3)[/code]

...or can I simply do it on the query:
[code]$sql = "Insert into...."
mysql_real_escape_string($sql)[/code]

What happens if it detects a malicious code? Does it echo anything or display anything?
obsidian Member

obsidian

Posted
Posted
First, we better define what "malicious code" is and how it is detected. mysql_real_escape_string() simply fully escapes a string for safe insertion into a MySQL database. So, to oversimplify, it helps escape all the floating quotes within text that may cause a query to end prematurely. This alone is not enough to avoid [i]malicious code[/i]. People could insert HTML or even javascript into a form on your page and cause real problems as well. So, be sure you account for these things as well. To answer your specific question, be aware that the function [b]returns the string passed once it has been escaped[/b], so you want to assign the results to the variable you will be using:
[code]
<?php
$abc = mysql_real_escape_string($_POST['abc']);
?>
[/code]

Often, I'll actually create a function that will loop through all my $_POST variables and prepare them all individually so I don't have to deal with them:
[code]
<?php
function cleanPost() {
  foreach ($_POST as $key => $val) {
    $val = strip_tags($val);
    $val = mysql_real_escape_string($val);
    $_POST[$key] = $val;
  }
}
?>
[/code]

Hope this makes sense.
obsidian Member

obsidian

Posted
Posted
Yes, if you include that function declaration within your scripts, you can clean all $_POST variables with one function call. To answer your second question, check out the manual for [url=http://www.php.net/strip_tags]strip_tags()[/url] for specifics, but it simply removes [b]all[/b] HTML tags by default. It will allow you to specify which tags you want to allow. This helps because it also removes all <script> tags.
obsidian Member

obsidian

Posted
Posted
[quote author=Mutley link=topic=120021.msg492135#msg492135 date=1167237215]
How do I stop the cleanPost() function on certain $_POST ? I have parts I do and don't want to strip_tags.
[/quote]
Just modify your function to accept exceptions. Something like this usually works for me. You pass in an array of field names you want the function to skip over:
[code]
<?php
function cleanPost($exceptions = array()) {
  foreach ($_POST as $key => $val) {
    if (!in_array($key, $exceptions)) {
      $val = strip_tags($val);
    }
    $val = mysql_real_escape_string();
    $_POST[$key] = $val;
  }
}
?>
[/code]

Hope this makes sense.
obsidian Member

obsidian

Posted
Posted
[quote author=Mutley link=topic=120021.msg492352#msg492352 date=1167262881]
So in the array something like:

[code]array($_GET['this'];, $_GET['that'];)[/code]
[/quote]

Actually, you only need the actual key names of the ones you want left out:
[code]
<?php
// This will skip over $_POST['this'] and $_POST['that']
$exceptions = array('this', 'that');
cleanPost($exceptions);
?>
[/code]
  • 2 weeks later...
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.