rondog Posted November 7, 2007 Share Posted November 7, 2007 I have been reading up on SQL injections and found solutions as to use mysql_real_escape and mysql_escape.. I have two questions: 1. Which is better to use? 2. Ive looked at the examples on php.net, but cant really understand them. Am I running mysql_real_escape on the username and password field or the mysql_query? Can someone show a basic query example and kind of explain for me. I would really appreciate it. Thanks! Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted November 7, 2007 Share Posted November 7, 2007 1) Use mysql_real_escape_string() 2) You do not run it on the entire query. You do run it on any and every bit of data you receive from the user that you use in a query. $uname = mysql_real_escape_string($_POST['uname']); $pass = mysql_real_escape_string($_POST['pass']); $sql = " SELECT * FROM `users` WHERE `uname`='{$uname}' AND `pass`='{$pass}' "; $q = mysql_query(); You should also note that if magic quotes is on, you first need to stripslashes(). The manual has examples of doing so: http://www.php.net/mysql_real_escape_string Quote Link to comment Share on other sites More sharing options...
atlanta Posted November 7, 2007 Share Posted November 7, 2007 Well basically what happens is a person can enter ' or '1=1'' which is telling the query to blank the password but 1=1 so go on with the process. using mysql_real_escape_string will escape these characters adding \ i believe to the input so that the users input cant execute any malicious code. understand that? you can read about it here http://www.securiteam.com/securityreviews/5DP0N1P76E.html Quote Link to comment Share on other sites More sharing options...
rondog Posted November 7, 2007 Author Share Posted November 7, 2007 Thanks guys. I understand now @roopurt18: How do I know if magic quotes is on or off? Quote Link to comment Share on other sites More sharing options...
atlanta Posted November 7, 2007 Share Posted November 7, 2007 Thanks guys. I understand now @roopurt18: How do I know if magic quotes is on or off? You can add this to a php file and see what it outputs <?php if (get_magic_quotes_gpc()==1) { echo ( "Magic quotes gpc is on" ); } else { echo ( "Magic quotes gpc is off" ); } ?> Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted November 7, 2007 Share Posted November 7, 2007 rondog; rather than just flat out tell you, I'm going to teach you to be resourceful. Here again is the link I gave you above: http://www.php.net/mysql_real_escape_string That's a lot of reading, so press ctrl+f on your keyboard to bring up the find window for your browser and search for the term 'magic' Should take you right to it. Quote Link to comment Share on other sites More sharing options...
rondog Posted November 7, 2007 Author Share Posted November 7, 2007 rondog; rather than just flat out tell you, I'm going to teach you to be resourceful. Here again is the link I gave you above: http://www.php.net/mysql_real_escape_string That's a lot of reading, so press ctrl+f on your keyboard to bring up the find window for your browser and search for the term 'magic' Should take you right to it. I've been to that page and dont understand it. I dont have time to teach myself. This is something that has a deadline and must be done as soon as possible. I've taught myself almost everything I know and PHP being the newest language I know, their is still a plethora of functions that I dont even know exist..like magic quotes. I do appreciate you wanting me to teach myself, but unfortunately time doesn't allow me at the moment. @atlanta: turns out its off. thanks =] Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.