SitePoint Sponsor

User Tag List

Results 1 to 24 of 24
  1. #1
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Earth
    Posts
    739
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    php ver. 5 +mysql_real_escape_string

    Should mysql_real_escape_string work with php ver. 5

    Thanks

  2. #2
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, it does. Are you having a problem with it, or was this more of a "Will my script still work if I upgrade to PHP 5" question?
    PHP questions? RTFM
    MySQL questions? RTFM

  3. #3
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Earth
    Posts
    739
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I thought it should work ..

    problems yes .. its not escaping the characters .. but same script is fine on php ver. 4

    PHP Code:
    function ValidateInput($value) {
        
    $value mysql_real_escape_string(strip_tags(trim($value))); 
        return 
    $value


    Cheers

  4. #4
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Do you have an open connection to your MySQL server already? mysql_real_escape_string only works if you've already opened a connection to a MySQL server. Are you getting any errors? Make sure error reporting is turned on or else you might not know.
    PHP questions? RTFM
    MySQL questions? RTFM

  5. #5
    SitePoint Enthusiast mrsmiley's Avatar
    Join Date
    Jul 2004
    Location
    Melbourne
    Posts
    96
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I use it on my PHP5 system successfully, but then I also use the mysqli version as well.

  6. #6
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Earth
    Posts
    739
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    a connection is made as the data is being input .. just not escaped.

    Tried addslashes as well, also not working.

    in the file .htaccess I have disabled magic_quotes_gpc using:

    php_flag magic_quotes_gpc off

    Maybe thats the problem?


    Thanks

  7. #7
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Nope, that's not the problem at all.

    Question: how do you know your strings are not being escaped?
    PHP questions? RTFM
    MySQL questions? RTFM

  8. #8
    SitePoint Addict
    Join Date
    Sep 2006
    Posts
    219
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This may throw a spanner in the works, but consider using prepared statements with mysqli or pdo - much safer - you don't have to worry about the escaping then.

  9. #9
    SitePoint Wizard bronze trophy Kailash Badu's Avatar
    Join Date
    Nov 2005
    Posts
    2,560
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The question still is why mysql_real_escape_string is not working. do you care to show us the code?

  10. #10
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Earth
    Posts
    739
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The basics of the code:

    The function:

    PHP Code:
    function ValidateInput($value) { 
        
    $value mysql_real_escape_string(strip_tags(trim($value))); 
        return 
    $value

    the update

    PHP Code:
        foreach($_POST as $key=>$value){
        
    $_POST[$key] = ValidateInput($value);
        }

        
    $sql mysql_query("UPDATE users SET email='".$_POST['email']."', msn='".$_POST['msn']."', icq='".$_POST['icq']."', yahoo='".$_POST['yahoo']."', aim='".$_POST['aim']."', about='".$_POST['description']."' WHERE userid='".$_SESSION['userid']."'")or die(mysql_error()); 
    It updates the info with no errors, but stays as " rather than \"

    The exact same script in PHP Ver. 4.4.3 works fine. The PHP Ver. 5 is another host.



    Thanks

  11. #11
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    When you say it "stays as " rather than \"", how are you checking that? If you're looking at it in the database or are wondering why you're not having to run it through stripslashes when you retrieve it, then it is working as intended; likely your 4.4.3 host had magic_quotes_gpc turned on and you were in fact double-escaping your content.

    Echo your array values immediately after escaping them and see what you get (you should see the '\' characters).
    PHP questions? RTFM
    MySQL questions? RTFM

  12. #12
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Earth
    Posts
    739
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    4.4.3 host has magic_quotes_gpc turned off.

    I know in PHP Ver. 5 because I check the database and the data hasnt been escaped at all.


    Thanks

  13. #13
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    When you check the database, the only time you would see an escaping character is when you have double-escaped your data (e.g. by using mysql_real_escape_string when magic_quotes_gpc is turned on). You can verify the behavior by entering data that contains at least one ' character - if it enters into the database successfully, you are in fact escaping your data correctly.
    PHP questions? RTFM
    MySQL questions? RTFM

  14. #14
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Earth
    Posts
    739
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    Really?

    I asummed you would see \' in the database to show it has been escaped.

    So I should have magic_quotes_gpc off?

    and if the data inserts as ' rather than \' with no errors its good to go??

  15. #15
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, you should have magic_quotes_gpc turned off.

    And yes, if your code can insert data with ' with no errors then you are good to go (it means your code is being properly escaped and thus SQL injection will not work).
    PHP questions? RTFM
    MySQL questions? RTFM

  16. #16
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Earth
    Posts
    739
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That I did not know .. I assumed you should have \' to show it had been escaped.

    Thanks!

  17. #17
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Nope - just like PHP strips out the escaping \ when echoing a string, MySQL strips it out when inserting it into the database. Those characters are only dangerous when in SQL queries, so once they've gotten past that stage there's no longer any danger.
    PHP questions? RTFM
    MySQL questions? RTFM

  18. #18
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Earth
    Posts
    739
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So in that case, there is no need to stripslashes then?

    unless you maybe use addslashes instead?


    Thanks

  19. #19
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by _matrix_ View Post
    So in that case, there is no need to stripslashes then?
    unless you maybe use addslashes instead?
    mysql_real_escape_string essentially does the same as addslashes. You use either addslashes or mysql_real_escape_string - not both. In either case, you do not use stripslashes on the output - Only on input. If you have magic_quotes turned on, you do not use addslashes or mysql_real_escape_string on input, because it has already been done.

  20. #20
    SitePoint Wizard siteguru's Avatar
    Join Date
    Oct 2002
    Location
    Scotland
    Posts
    3,631
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Is it not safer to check whether magic quotes is On, strip slashes if it is, then do your own validation/escaping? This way you always know exactly the status of your data. Simplified example below ...

    PHP Code:
    function strip_magic_quotes($arr)
    {
        foreach (
    $arr as $k => $v)
        {
            if (
    is_array($v))
            {
                
    $arr[$k] = strip_magic_quotes($v);
            }
            else
            {
                
    $arr[$k] = stripslashes($v);
            }
        }

        return 
    $arr;
    }

    if (
    get_magic_quotes_gpc())
    {
        if (!empty(
    $_GET))    { $_GET    strip_magic_quotes($_GET);    }
        if (!empty(
    $_POST))   { $_POST   strip_magic_quotes($_POST);   }
        if (!empty(
    $_COOKIE)) { $_COOKIE strip_magic_quotes($_COOKIE); }
    }

    $conn etc// make your Mysql connection

    $data $_POST['data'];

    $sql "INSERT INTO Table (Field) VALUES ('"mysql_real_escape_string ($data) ."')"
    Ian Anderson
    www.siteguru.co.uk

  21. #21
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by siteguru View Post
    Is it not safer to check whether magic quotes is On, strip slashes if it is, then do your own validation/escaping? This way you always know exactly the status of your data.
    Yes, certainly. And if you have PHP5, I would further suggest that you use prepared statements/bound parameters instead of manually escaping all values. It's safer, it's easier and in case of PDO, it's portable too. That's like three bonuses in one.

  22. #22
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by kyberfabrikken View Post
    That's like three bonuses in one.
    I like 3-for-1 deals!
    PHP questions? RTFM
    MySQL questions? RTFM

  23. #23
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Is it not safer to check whether magic quotes is On, strip slashes if it is, then do your own validation/escaping? This way you always know exactly the status of your data.
    Personally I've always found this to complicate things. For example you may have a class that inserts into a database. The source of that data may be GPC, or it may have come from elsewhere in the script, unaffected by magic quotes.
    In those cases checking the status of magic quotes won't help unless you also know the source of the data.

    I prefer to turn MQ off (get a new host if you can't) and explicitly escape.

  24. #24
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cranial-bore View Post
    I prefer to turn MQ off (get a new host if you can't) and explicitly escape.
    Sadly, not always an option. I just have an include before any of my processing that checks the status of magic_quotes_gpc and, if it is set, runs through each of GET, POST, and COOKIE stripping out the slashes.
    PHP questions? RTFM
    MySQL questions? RTFM


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •