ohdang888 Posted March 22, 2008 Share Posted March 22, 2008 Does it work to do a mysql_real _escape_string on a fetch array, and "protect" from everything in that array? <?php $result = mysql_query("SELECT * FROM `table` WHERE `id`='5'") or die(mysql_error()); $row = mysql_real_escape_string(mysql_fetch_array($result)); ?> would that protect? Thanks- Link to comment https://forums.phpfreaks.com/topic/97416-real_escape-_string-question/ Share on other sites More sharing options...
AndyB Posted March 22, 2008 Share Posted March 22, 2008 Perhaps you'll find the manual explanation of the function useful - http://ca.php.net/mysql_real_escape_string Link to comment https://forums.phpfreaks.com/topic/97416-real_escape-_string-question/#findComment-498459 Share on other sites More sharing options...
ohdang888 Posted March 22, 2008 Author Share Posted March 22, 2008 thanks. but a few i have a few questions on that page.. Whats that %s, %s %d stuff????? <?php $query = sprintf("INSERT INTO products (`name`, `description`, `user_id`) VALUES ('%s', '%s', %d)", mysql_real_escape_string($product_name, $link), mysql_real_escape_string($product_description, $link), $_POST['user_id']); ?> Link to comment https://forums.phpfreaks.com/topic/97416-real_escape-_string-question/#findComment-498465 Share on other sites More sharing options...
Daniel0 Posted March 22, 2008 Share Posted March 22, 2008 Following on Andy's post. Reading the manual entry for sprintf() will answer that question. Link to comment https://forums.phpfreaks.com/topic/97416-real_escape-_string-question/#findComment-498467 Share on other sites More sharing options...
ohdang888 Posted March 22, 2008 Author Share Posted March 22, 2008 oh alright. thanks. But can't i just do the mysql_real_escape_string on the variables right before they go into the query and achieve the same security level???? for example, it would be like this: $a = mysql_real_escape_string($a) SELECT * FROM table WHERE column=$a Link to comment https://forums.phpfreaks.com/topic/97416-real_escape-_string-question/#findComment-498490 Share on other sites More sharing options...
Daniel0 Posted March 22, 2008 Share Posted March 22, 2008 Yeah. That'd be no problem. Although if it's a string value you'll have to enclose it in single quotes in the query. Link to comment https://forums.phpfreaks.com/topic/97416-real_escape-_string-question/#findComment-498495 Share on other sites More sharing options...
ohdang888 Posted March 22, 2008 Author Share Posted March 22, 2008 oh ok. its all coming together now!! wooooo ONE more question. lol. So i read through the link that Andy sent, and it doesn't address the question of can i put an excape string on an array?(my first post) Thanks!!! Link to comment https://forums.phpfreaks.com/topic/97416-real_escape-_string-question/#findComment-498506 Share on other sites More sharing options...
Daniel0 Posted March 22, 2008 Share Posted March 22, 2008 No. You're using that function on the user input to ensure that arbitrary SQL cannot be injected into your query. It only works on strings, integers, floats and booleans. There is no point in running it on the results which are returned anyways. Link to comment https://forums.phpfreaks.com/topic/97416-real_escape-_string-question/#findComment-498507 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.