Jump to content

[SOLVED] Using mysql_real_escape_string()

soycharliente

By soycharliente
in PHP Coding Help

 Share

Recommended Posts

mjlogan Newbie

mjlogan

Posted
Posted 


$variable = "\\'s";

$variable = mysql_real_escape_string($variable);

echo $variable."\n";

$variable = stripslashes($variable);

echo $variable;

 

Input => mysql_real_escape_string => stripslashes

 

's => \'s => 's

\'s => \\\'s => \'s

\\'s = > \\\'s => \'s

 

 

per1os Member

per1os

Posted
Posted

Wow you never want to stripslashes of data coming out of a database bud. There is this magical function called get_magic_quotes_gpc that tells you whether the data coming from a form has been sanitized or not. I would suggest using this function:

 

<?php
function myEscape($string) {
      $string = get_magic_quotes_gpc()?stripslashes($string):$string; // since there is a difference between addslashes and mysql_real_esacpe_string
      return mysql_real_escape_string($string); // escape data properly.
}
?>

 

This way the data only get's santizied if it has not been before. That way when you pull data out of the DB you do not have to stripslashes on it! A rule of thumb, you should never have to stripslashes of data coming out of a database.

per1os Member

per1os

Posted
Posted 

<?php
function myEscape($string) {
      return get_magic_quotes_gpc()?mysql_real_escape_string($string):$string;
}
?>

 

I don't understand what that does.

 

I updated it due to some new insight, anyhow here it is commented

<?php
function myEscape($string) {
      // if magic quotes are on strip the slashes so we can use the proper mysql escapage.
      $string = get_magic_quotes_gpc()?stripslashes($string):$string; // since there is a difference between addslashes and mysql_real_esacpe_string
      return mysql_real_escape_string($string); // escape data properly.
}
?>

 

Basically the ? and : is the ternary operator meaning

if get_magic_quotes_gpc is on than stripslashes on $string else leave $string alone and assign what came from it to $string.

per1os Member

per1os

Posted
Posted

anytime post or get data is to be processed put this at the top

 

<?php
include('databaseconnectionhere.php');

function myEscape($string) {
      // if magic quotes are on strip the slashes so we can use the proper mysql escapage.
      $string = get_magic_quotes_gpc()?stripslashes($string):$string; // since there is a difference between addslashes and mysql_real_esacpe_string
      return mysql_real_escape_string($string); // escape data properly.
}

if (isset($_POST)) {
   foreach ($_POST as $key => $val) {
      $_POST[$key] = myEscape($val);
   }
}
if (isset($_GET)) {
   foreach ($_GET as $key => $val) {
      $_GET[$key] = myEscape($val);
   }
}
?>

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.