SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    Evil Genius MilchstrabeStern's Avatar
    Join Date
    Nov 2003
    Location
    Arizona
    Posts
    1,131
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    mysql_real_escape_string

    From php.net:
    mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
    I am using the function as follows:
    PHP Code:
        $dc_link ='empty';
        
        
    //name formatting
        
    $dc_name strip_tags($dc);
        
    $dc_name mysql_real_escape_string($dc_name);
        
        
    //check if the corps has a link (most div 2 and 3's do not).
            
    $dc_link str_replace('<a href = "','<a href="http://www.dci.org'$dc);

        
        
    $sql =  "SELECT * FROM dci_corps WHERE name ='$dc_name'";
        
    $result_corps mysql_query($sql);
        
    $row mysql_fetch_row($result_corps);
        
        if (
    DB::isError($result)) {    
            die(
    $result->getMessage().mysql_error());
        }

        
        if (
    $row[0]==0) {
            echo 
    "drum corps does not exist.. adding";
            
    //insert data for each drum corps if new event
            
    $insert "INSERT INTO dci_corps (id,name,link) VALUES (0,'$dc_name','$dc_link')";
            
    $result $db->query($insert);
                
            if (
    DB::isError($result)) {    
                die(
    $result->getMessage().mysql_error());
            }

        } 
    But when used that way, sing quotes (or anything else as far as I know) are not escaped. According to php.net the function "calls MySQL's library function mysql_real_escape_string." So does the function need to be used within the query?
    ]

  2. #2
    SitePoint Guru aamonkey's Avatar
    Join Date
    Sep 2004
    Location
    kansas
    Posts
    953
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It looks like you are using the function correctly... the function does not need to be used within a query, you can use the function anytime as long as you have established a connection to your database. If the function is not working and you do not get any errors with error_reporting(E_ALL) then I dunno...

    you aren't expecting the actual entries in the database to have slashes in them are you? because it only prepares the data with prepending slashes so that it won't mess up a db insert query...the actual data in the database will not contain slashes.

  3. #3
    Evil Genius MilchstrabeStern's Avatar
    Join Date
    Nov 2003
    Location
    Arizona
    Posts
    1,131
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I get no Warning or Notice errors (with all error reporting on). But if I try inserting a name that is like "St. John's" it fails because of the " ' "

    Which shouldn't be happenning if mysql_real_escape_string is working.
    ]

  4. #4
    SitePoint Guru aamonkey's Avatar
    Join Date
    Sep 2004
    Location
    kansas
    Posts
    953
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    what happens when you change that chunk of code to this:

    PHP Code:
         $dc_link ='empty'
             
            
    //name formatting 
            
    $dc_name strip_tags($dc); 
            
    $dc_name mysql_real_escape_string($dc_name); 
             
            
    //check if the corps has a link (most div 2 and 3's do not). 
                
    $dc_link str_replace('<a href = "','<a href="http://www.dci.org'$dc); 
         
             
            
    $sql =  "SELECT * FROM dci_corps WHERE name ='$dc_name'"
            
    $result_corps mysql_query($sql) or die ('error: ' mysql_error()); 
            
    $row mysql_fetch_row($result_corps) or die ('error: ' mysql_error()); 
             
       
             
            if (
    $row[0]==0) { 
                echo 
    "drum corps does not exist.. adding"
                
    //insert data for each drum corps if new event 
                
    $insert "INSERT INTO dci_corps (id,name,link) VALUES (0,'$dc_name','$dc_link')"
                
    $result $db->query($insert); 
                     
         
            } 
    ...also if the query fails when you insert strings with "'" in them, you must be getting some error message--what is the exact message?
    Last edited by aamonkey; Jul 3, 2006 at 20:40.

  5. #5
    SitePoint Member
    Join Date
    Jun 2006
    Location
    Zagreb, Croatia
    Posts
    23
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Try using instead of

    PHP Code:
        $dc_name strip_tags($dc);
        
    $dc_name mysql_real_escape_string($dc_name);
        
    $dc_link str_replace('<a href = "','<a href="http://www.dci.org'$dc); 
    this

    PHP Code:

        $dc_link 
    str_replace('<a href = "','<a href="http://www.dci.org'$dc); 

        
    /**
         * Escape strings so they can be inserted into database querys
         *
         * @param string $value String or number that goes into query
         * @todo if PHP < 4.3 use mysql_escape_string in place of mysql_real_escape_string
         */
        
    function quoteSmart($value)
        {
            
    // Stripslashes
            
    if (get_magic_quotes_gpc()) {
                
    $value stripslashes($value);
            }
            
    // Quote if not a number or a numeric string
            
    if (!is_numeric($value)) {
                
    $value mysql_real_escape_string($value);
            }
            return 
    $value;
        }

        
    $dcname quoteSmart($dc);
        
    $dclink quoteSmart($dclink); 

  6. #6
    Evil Genius MilchstrabeStern's Avatar
    Join Date
    Nov 2003
    Location
    Arizona
    Posts
    1,131
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've used a very similar function from PHP.net before with the same results. I'll give it a shot again though tonight and see how it goes.
    ]


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •