SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Taunton, UK
    Posts
    787
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    This code is stopping my post variables

    I found some code on the php site (http://uk.php.net/mysql_real_escape_string) that apparently protects against sql injection in post vars

    Code:
    
    foreach ($_POST as $key => $value) {
        	$_POST[$key] = mysql_real_escape_string($value);
    }
    Anyway after I use this, I don't seem to be able to retrieve my post variables.

    Here is my code

    Code:
    if ($_POST["submit"]) { 
    
    	// ------------------------
    	// Get all form data values
    	// ------------------------
    
    
    	foreach ($_POST as $key => $value) {
        		$_POST[$key] = mysql_real_escape_string($value);
      	} 
    
    	$companyName = $_POST["companyName"];
    	echo "companyName = " . $companyName;
    My echo statement displays no value for companyName. If I remove that for statement, it works.

    I basically just want to protect my form against injection.

    Any help much appreciated.

    Thanks

    Paul
    Mediakitchen Limited
    App Development | Website Design & Development | Flash Game Development
    Somerset, UK
    http://www.mediakitchen.co.uk

  2. #2
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Taunton, UK
    Posts
    787
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Doh! Realised I needed to include a database connection before I could use mysql_real_escape_string function. I bet that catches a lot of people out!
    Mediakitchen Limited
    App Development | Website Design & Development | Flash Game Development
    Somerset, UK
    http://www.mediakitchen.co.uk

  3. #3
    SitePoint Enthusiast
    Join Date
    Aug 2009
    Posts
    75
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, that function looks at your database connection to determine what encoding it is (UTF-8 or whatever), and then acts accordingly.

  4. #4
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Taunton, UK
    Posts
    787
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes I hadn't realised as I thought I had used it before without a database connection.
    Mediakitchen Limited
    App Development | Website Design & Development | Flash Game Development
    Somerset, UK
    http://www.mediakitchen.co.uk

  5. #5
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The bad thing about that is you lose the ability to use the _POST values for anything but sql querys. Now you can't always(correctly) use those values for other purposes like echo them to the html page, because they will be escaped and Mr. O'Neil will be O\'Neil.

  6. #6
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Taunton, UK
    Posts
    787
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Would I be better performing the mysql_real_escape_string in the actual query if I need to display the values. I do know I need to display them in the form fields if the user fails to complete all the fields correctly - so they don't have to fill them all in again.
    Mediakitchen Limited
    App Development | Website Design & Development | Flash Game Development
    Somerset, UK
    http://www.mediakitchen.co.uk

  7. #7
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The documentation for the function shows a decent way. You don't need to use sprintf() if you don't want to, you can just use regular string concatenation if desired.

    You can also make a new variable, or even a new array, so that way you don't overwrite the original values.

    Even better, start using bound parameters. Both mysqli and pdo support them. I recommend pdo.

  8. #8
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Taunton, UK
    Posts
    787
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks crmalibu

    I have noever heard of bound parameters - sounds like I need to do some reading.

    I will also have another read of the documentation for the function.

    Many thanks

    Paul
    Mediakitchen Limited
    App Development | Website Design & Development | Flash Game Development
    Somerset, UK
    http://www.mediakitchen.co.uk


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •