SitePoint Sponsor

User Tag List

Results 1 to 8 of 8

Hybrid View

  1. #1
    SitePoint Enthusiast
    Join Date
    Jul 2006
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    mysqli_real_escape_string

    Hi all,

    I'm trying to alter a piece of code to include the mysqli_real_escape_string to avoid sql injections and I would like to ask if the following code is properly written as I'm not quiet sure how to test it.

    Original code:

    PHP Code:
           if(($rss_title !='') && ($rss_url !=''))
           {
               
    $query=mysqli_query($GLOBALS["___mysqli_ston"], "insert into rss (title, url, published, lang) values ('$rss_title', '$rss_url', '1', '$_SESSION[session_lang]')");
           } 

    Altered code:

    PHP Code:
           if(($rss_title !='') && ($rss_url !=''))
           {
               
    $query=mysqli_query($GLOBALS["___mysqli_ston"], "insert into rss (title, url, published, lang) values ('$rss_title', '$rss_url', '1', '$_SESSION[session_lang]')");
            
    $query mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $rss_title$rss_url$_SESSION);
           } 
    Thanks

  2. #2
    SitePoint Addict
    Join Date
    Apr 2011
    Posts
    265
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Hi,
    Try this (the valuest must be filtered with mysqli_real_escape_string() not the whole sql query).
    Code:
    if($rss_title !='' && $rss_url !='') {
      $query = mysqli_query($GLOBALS["___mysqli_ston"], "insert into rss (title, url, published, lang) values ('". mysqli_real_escape_string($rss_title) ."', '". mysqli_real_escape_string($rss_url) ."', '1', '". mysqli_real_escape_string($_SESSION[session_lang]) ."')");
    }
    Free: Web Programming Courses HTML, CSS, Flash
    Web Programming: AJAX Course and PHP-MySQL Course video Lessons
    Good JavaScript and jQuery course for beginners

  3. #3
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,862
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    You shouldn't ever need to use mysqli_real_escape_string as an even better solution is to use prepare and bind that makes injection completely impossible by keeping the data completely separate from the SQL
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  4. #4
    SitePoint Enthusiast
    Join Date
    Jul 2006
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    You shouldn't ever need to use mysqli_real_escape_string as an even better solution is to use prepare and bind that makes injection completely impossible by keeping the data completely separate from the SQL
    Thanks a lot for the replies.
    Felgal, would you mind giving an example of the above code but with prepare statements?

    Thanks a lot

  5. #5
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,862
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Code:
    $stmt = $GLOBALS["___mysqli_ston"]->prepare("insert into rss (title, url, published, lang) values (?, ?, ?, ?)");
    $stmt->bind_param('ssds', $rss_title, $rss_url, 1, $_SESSION[session_lang]);
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  6. #6
    SitePoint Enthusiast
    Join Date
    Jul 2006
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Many thanks Felgall.

    The code however throws the following error:

    Fatal error: Cannot pass parameter 4 by reference in /opt/lampp/htdocs/modules/rss/admin-rss.php on line 61

    where line 61 is:

    $stmt->bind_param('ssds', $rss_title, $rss_url, 1, $_SESSION[session_lang]);

    Any ideas?

  7. #7
    SitePoint Enthusiast
    Join Date
    Jul 2006
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ignore my last post, I figure it out. I needed to pass the value 1 into a variable to work.

    Many thanks for your help.

  8. #8
    SitePoint Enthusiast
    Join Date
    Jul 2006
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    For some reason the session is not getting properly via the prepare statement.
    This is my existing code which seems to work fine but only for one language as it doesn't get the session_lang. Any ideas?


    $stmt = $GLOBALS["___mysqli_ston"]->prepare("insert into rss (title, url, published, lang) values (?, ?, ?, ?)");
    $my_var = 1;
    $stmt->bind_param('ssds', $rss_title, $rss_url, $my_var, $_SESSION[session_lang]);
    $stmt->execute();
    $stmt->close();


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •