SitePoint Sponsor |
|
User Tag List
Results 1 to 24 of 24
-
Feb 13, 2007, 20:35 #1
- Join Date
- Aug 2004
- Location
- Earth
- Posts
- 739
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
php ver. 5 +mysql_real_escape_string
Should mysql_real_escape_string work with php ver. 5
Thanks
-
Feb 13, 2007, 20:37 #2
-
Feb 13, 2007, 20:41 #3
- Join Date
- Aug 2004
- Location
- Earth
- Posts
- 739
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I thought it should work ..
problems yes .. its not escaping the characters .. but same script is fine on php ver. 4
PHP Code:function ValidateInput($value) {
$value = mysql_real_escape_string(strip_tags(trim($value)));
return $value;
}
Cheers
-
Feb 13, 2007, 20:45 #4
-
Feb 13, 2007, 21:00 #5
- Join Date
- Jul 2004
- Location
- Melbourne
- Posts
- 96
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I use it on my PHP5 system successfully, but then I also use the mysqli version as well.
-
Feb 13, 2007, 21:53 #6
- Join Date
- Aug 2004
- Location
- Earth
- Posts
- 739
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
a connection is made as the data is being input .. just not escaped.
Tried addslashes as well, also not working.
in the file .htaccess I have disabled magic_quotes_gpc using:
php_flag magic_quotes_gpc off
Maybe thats the problem?
Thanks
-
Feb 13, 2007, 22:03 #7
-
Feb 13, 2007, 22:17 #8
- Join Date
- Sep 2006
- Posts
- 219
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
This may throw a spanner in the works, but consider using prepared statements with mysqli or pdo - much safer - you don't have to worry about the escaping then.
-
Feb 14, 2007, 00:11 #9
The question still is why mysql_real_escape_string is not working. do you care to show us the code?
-
Feb 14, 2007, 02:00 #10
- Join Date
- Aug 2004
- Location
- Earth
- Posts
- 739
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
The basics of the code:
The function:
PHP Code:function ValidateInput($value) {
$value = mysql_real_escape_string(strip_tags(trim($value)));
return $value;
}
PHP Code:foreach($_POST as $key=>$value){
$_POST[$key] = ValidateInput($value);
}
$sql = mysql_query("UPDATE users SET email='".$_POST['email']."', msn='".$_POST['msn']."', icq='".$_POST['icq']."', yahoo='".$_POST['yahoo']."', aim='".$_POST['aim']."', about='".$_POST['description']."' WHERE userid='".$_SESSION['userid']."'")or die(mysql_error());
The exact same script in PHP Ver. 4.4.3 works fine. The PHP Ver. 5 is another host.
Thanks
-
Feb 14, 2007, 20:22 #11
- Join Date
- Sep 2006
- Location
- Fairbanks, AK
- Posts
- 1,621
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
When you say it "stays as " rather than \"", how are you checking that? If you're looking at it in the database or are wondering why you're not having to run it through stripslashes when you retrieve it, then it is working as intended; likely your 4.4.3 host had magic_quotes_gpc turned on and you were in fact double-escaping your content.
Echo your array values immediately after escaping them and see what you get (you should see the '\' characters).
-
Feb 14, 2007, 20:56 #12
- Join Date
- Aug 2004
- Location
- Earth
- Posts
- 739
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Hi,
4.4.3 host has magic_quotes_gpc turned off.
I know in PHP Ver. 5 because I check the database and the data hasnt been escaped at all.
Thanks
-
Feb 14, 2007, 21:22 #13
- Join Date
- Sep 2006
- Location
- Fairbanks, AK
- Posts
- 1,621
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
When you check the database, the only time you would see an escaping character is when you have double-escaped your data (e.g. by using mysql_real_escape_string when magic_quotes_gpc is turned on). You can verify the behavior by entering data that contains at least one ' character - if it enters into the database successfully, you are in fact escaping your data correctly.
-
Feb 14, 2007, 21:42 #14
- Join Date
- Aug 2004
- Location
- Earth
- Posts
- 739
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Hi,
Really?
I asummed you would see \' in the database to show it has been escaped.
So I should have magic_quotes_gpc off?
and if the data inserts as ' rather than \' with no errors its good to go??
-
Feb 14, 2007, 21:45 #15
-
Feb 14, 2007, 21:46 #16
- Join Date
- Aug 2004
- Location
- Earth
- Posts
- 739
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
That I did not know .. I assumed you should have \' to show it had been escaped.
Thanks!
-
Feb 14, 2007, 22:42 #17
-
Feb 15, 2007, 01:14 #18
- Join Date
- Aug 2004
- Location
- Earth
- Posts
- 739
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
So in that case, there is no need to stripslashes then?
unless you maybe use addslashes instead?
Thanks
-
Feb 15, 2007, 02:08 #19
- Join Date
- Jun 2004
- Location
- Copenhagen, Denmark
- Posts
- 6,157
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
mysql_real_escape_string essentially does the same as addslashes. You use either addslashes or mysql_real_escape_string - not both. In either case, you do not use stripslashes on the output - Only on input. If you have magic_quotes turned on, you do not use addslashes or mysql_real_escape_string on input, because it has already been done.
-
Feb 15, 2007, 07:09 #20
- Join Date
- Oct 2002
- Location
- Scotland
- Posts
- 3,631
- Mentioned
- 2 Post(s)
- Tagged
- 0 Thread(s)
Is it not safer to check whether magic quotes is On, strip slashes if it is, then do your own validation/escaping? This way you always know exactly the status of your data. Simplified example below ...
PHP Code:function strip_magic_quotes($arr)
{
foreach ($arr as $k => $v)
{
if (is_array($v))
{
$arr[$k] = strip_magic_quotes($v);
}
else
{
$arr[$k] = stripslashes($v);
}
}
return $arr;
}
if (get_magic_quotes_gpc())
{
if (!empty($_GET)) { $_GET = strip_magic_quotes($_GET); }
if (!empty($_POST)) { $_POST = strip_magic_quotes($_POST); }
if (!empty($_COOKIE)) { $_COOKIE = strip_magic_quotes($_COOKIE); }
}
$conn = etc. // make your Mysql connection
$data = $_POST['data'];
$sql = "INSERT INTO Table (Field) VALUES ('". mysql_real_escape_string ($data) ."')";
-
Feb 15, 2007, 09:32 #21
- Join Date
- Jun 2004
- Location
- Copenhagen, Denmark
- Posts
- 6,157
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
-
Feb 15, 2007, 22:29 #22
-
Feb 16, 2007, 00:09 #23
- Join Date
- Jan 2002
- Location
- Australia
- Posts
- 2,634
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Is it not safer to check whether magic quotes is On, strip slashes if it is, then do your own validation/escaping? This way you always know exactly the status of your data.
In those cases checking the status of magic quotes won't help unless you also know the source of the data.
I prefer to turn MQ off (get a new host if you can't) and explicitly escape.
-
Feb 16, 2007, 00:14 #24
Bookmarks