SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    Get my greedy down dotJoon's Avatar
    Join Date
    Apr 2003
    Location
    daejeon, South Korea
    Posts
    2,223
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    realEscapted_inpuBox

    Code:
    code
    
    <?php
    echo "inputBox: ".$inputBox."<br>";
    $realEscapted_inputBox=mysql_real_escape_string(trim($_POST['inputBox']));
    echo "realEscapted_inputBox: ".$realEscapted_inputBox
    ?>
    
    result
    
    inputBox: myText
    realEscapted_inputBox: myText
    If the value of the inputBox is same as the value of realEscapted _inputBox, what is "mysql_real_escapge_string needed for?

    How can I recognize the difference between plain inputBox and realEscapted_inputBox?

  2. #2
    Non-Member Kalon's Avatar
    Join Date
    Aug 2010
    Location
    At my computer
    Posts
    2,012
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    the answers to your questions are in the manual.

    I don't have time to copy and paste them here.

  3. #3
    Get my greedy down dotJoon's Avatar
    Join Date
    Apr 2003
    Location
    daejeon, South Korea
    Posts
    2,223
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    If binary data is to be inserted, this function must be used.
    The quote above is from http://php.net/manual/en/function.my...ape-string.php

    I think "0100", "1010", etc, are binary data.

    What is binary data in the above?

    Does it mean that an unfriendly user can send binary data through a form box?

  4. #4
    SitePoint Enthusiast
    Join Date
    Dec 2007
    Posts
    67
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    "mysql_real_escape_string — Escapes special characters in a string for use in an SQL statement"

    There's no special characters in myText, what do you expect to have changed?

  5. #5
    Get my greedy down dotJoon's Avatar
    Join Date
    Apr 2003
    Location
    daejeon, South Korea
    Posts
    2,223
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Jay.P View Post
    There's no special characters in myText
    Ah, when there are special character, realEscapted do work.
    when there is no special character. realEscapted doesn't work.
    Thank you.

    As I test it
    I found that "<" and ">" are special characters.

    What other special characters are there?

  6. #6
    rajug.replace('Raju Gautam'); bronze trophy Raju Gautam's Avatar
    Join Date
    Oct 2006
    Location
    Kathmandu, Nepal
    Posts
    4,013
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In general meaning, this function escapes those characters which can also be used in the SQL statements. To understand the real use of it try passing single quotes with the value like "myText's value" then try to insert it to the database:
    PHP Code:
    $value "john's name is John Smith";
    mysql_query("insert into tbltest set name='$value'") or die(mysql_error());

    $value mysql_real_escape_string("john's name is John Smith");
    mysql_query("insert into tbltest set name='$value'") or die(mysql_error()); 
    Try running above two queries and find the use of mysql_real_escape_string().
    Mistakes are proof that you are trying.....
    ------------------------------------------------------------------------
    PSD to HTML - SlicingArt.com | Personal Blog | ZCE - PHP 5

  7. #7
    Get my greedy down dotJoon's Avatar
    Join Date
    Apr 2003
    Location
    daejeon, South Korea
    Posts
    2,223
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    $value "john's name is John Smith";
    mysql_query("insert into tbltest set name='$value'") or die(mysql_error()); 
    the code above causes SQL error while the code below successfully inserts the value to DB.

    PHP Code:
    $value mysql_real_escape_string("john's name is John Smith");
    mysql_query("insert into tbltest set name='$value'") or die(mysql_error()); 
    mysql_real_escape_string() is cool.
    it can insert apostrophe and prevent the opening tag "<" and closing tag ">".

    I guess I should do it to every user-submit data.

  8. #8
    rajug.replace('Raju Gautam'); bronze trophy Raju Gautam's Avatar
    Join Date
    Oct 2006
    Location
    Kathmandu, Nepal
    Posts
    4,013
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dotJoon View Post
    [php]
    I guess I should do it to every user-submit data.
    Mistakes are proof that you are trying.....
    ------------------------------------------------------------------------
    PSD to HTML - SlicingArt.com | Personal Blog | ZCE - PHP 5


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •