SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Evangelist
    Join Date
    Aug 2010
    Posts
    503
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Where to Place mysql_real_escape_string

    Hi guys, where do I need to place the mysql_real_escape_string to in my code. Tried looking around but can't figure it.

    PHP Code:
    <html>
        <head>
            <title>Print Database</title>
    <style type="text/css">
    body {
    font-family: Arial, Helvetica, sans-serif;
    font-size: 10px;
    margin: 0px 0px 0px 0px;
    }
    .id {
    font-size: 10px;
    font-family: Arial, Helvetica, sans-serif;
    width: 35px;
    font-weight: bold;
    float: left;
    margin-right: 0px;
    }
    .name {
    font-size: 10px;
    font-family: Arial, Helvetica, sans-serif;
    font-weight: normal;
    width: 200px;
    float: left;
    }
    .price {
    font-size: 10px;
    font-family: Arial, Helvetica, sans-serif;
    width: 50px;
    float: left;
    font-weight: bold;
    text-align: right;
    }
    .description {
    font-weight: normal;
    float: left;
    width: 560px;
    margin-bottom: 5px;
    margin-left: 40px;
    }
    .condition {
    font-size: 10px;
    font-family: Arial, Helvetica, sans-serif;
    font-weight: normal;
    width: 110px;
    float: left;
    margin-left: 20px;
    }
    </style>
        </head>
        <body>
    <div style="float: left;"><h1>Used Products - Database Pull</h1></div>
        <?php
    include_once('connection.php');
    $query "SELECT
        products.products_id,
        products_description.products_name,
        products.products_status,
        products.products_price,
        products.used_condition,
        products.actuations
        FROM products
        INNER JOIN products_description
        ON products.products_id = products_description.products_id"
    ;
    $result mysql_query($query) or die (mysql_error());
    $vat 1.175;

    //Print out Results
    while ($row mysql_fetch_array($result)){
        
    //Main DIV Wrapper
        
    echo "<div style='width: 100%; margin-bottom: 0px; padding: 6px 0px 6px 0px; border-bottom: solid #000000 1px; float: left;'>";
        
    //Products ID Print
        
    echo "<div class='id'>".$row['products_id']."</div>";
        
    //Products Name Print
        
    echo "<div class='name'>".$row['products_name']."</div>";
        
    //Products Price Print
        
    echo "<div class='price'>£".number_format($row['products_price']*$vat)."</div>";
        
    //Products Used Condition Print
        
    if ($row['used_condition'] == NULL) {
        echo 
    "<div class='condition'>Condition: <strong>N/A</strong></div>";}
        else {echo 
    "<div class='condition'>Condition: <strong>".$row['used_condition']."</strong></div>";}
        
    //Products Actuations Print
        
    if ($row['actuations'] == NULL) {
        echo 
    "<div class='condition'>Actuations: <strong>N/A</strong></div>";}
        else {echo 
    "<div class='condition'>Actuations: <strong>".$row['actuations']."</strong></div>";}
        
    //Products Hidden/Visible Print
        
    if ($row['products_status'] > 0) {
        echo 
    "";}
        else {echo 
    "<div style='font-weight: bold; margin: 0px 0px 0px 20px; float: left;'>Hidden</div>";}
        
    //Main DIV Wrapper Closing Tag
        
    echo "</div>";}

    ?>
        </body>
    </html>

  2. #2
    Non-Member Kalon's Avatar
    Join Date
    Aug 2010
    Location
    At my computer
    Posts
    2,012
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I usually include it in the actual query

    Code:
     
    $query = 'select * from tblUser where fldUsername = "'.mysql_real_escape_string($username).'"';

  3. #3
    rajug.replace('Raju Gautam'); bronze trophy Raju Gautam's Avatar
    Join Date
    Oct 2006
    Location
    Kathmandu, Nepal
    Posts
    4,013
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Depending upon the situation, I usually use the function with all the user input data whether they are passed via URL (GET) or form (POST) before using in the database query.
    Mistakes are proof that you are trying.....
    ------------------------------------------------------------------------
    PSD to HTML - SlicingArt.com | Personal Blog | ZCE - PHP 5

  4. #4
    SitePoint Evangelist
    Join Date
    Aug 2010
    Posts
    503
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi, thank you both for your messages. Where would you place the real_escape in my above code? Just don't know where to place it.

  5. #5
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,097
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by coxdabd View Post
    Hi, thank you both for your messages. Where would you place the real_escape in my above code? Just don't know where to place it.
    You're not using any PHP variables in the query you're running, so you don't need mysql_real_escape string for this query at all.

    Where you use it is if you want to show just one product based on a products_id, like so:

    PHP Code:
    $query="SELECT
        products.products_id,
        products_description.products_name,
        products.products_status,
        products.products_price,
        products.used_condition,
        products.actuations
        FROM products
        INNER JOIN products_description
        ON products.products_id = products_description.products_id
        WHERE products.products_id="
    .mysql_real_escape_string($product_id); 
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  6. #6
    SitePoint Evangelist
    Join Date
    Aug 2010
    Posts
    503
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ScallioXTX View Post
    You're not using any PHP variables in the query you're running, so you don't need mysql_real_escape string for this query at all.

    Where you use it is if you want to show just one product based on a products_id, like so:

    PHP Code:
    $query="SELECT
        products.products_id,
        products_description.products_name,
        products.products_status,
        products.products_price,
        products.used_condition,
        products.actuations
        FROM products
        INNER JOIN products_description
        ON products.products_id = products_description.products_id
        WHERE products.products_id="
    .mysql_real_escape_string($product_id); 
    Hi, thanks for your reply. Right ok I understand now. So the following script would be acceptable to use and would indeed work?

    PHP Code:
    <?php
    error_reporting
    (0);
    include(
    'tpl_includes/header.php'); 
    $email "";
    $msg_to_user "";
    if (
    $_POST['email']!=""){
        include_once 
    "connection.php";
        
        
    $email mysql_real_escape_string($_POST['email']);
        
        
    $sql mysql_query("SELECT * FROM addresses WHERE email='$email'");
        
    $numRows mysql_num_rows($sql);
        
        if (!
    $email){
        
    $msg_to_user '<div class="msg_to_user" style="margin-top: 10px;">Please type an email address.</div>';
        }
        
        else if (
    $numRows>0){
        
    $msg_to_user '<div class="msg_to_user" style="margin-top: 10px;">'.$email.' is already in the system.</div>';
        }
        else {
        if(
    false !== filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)){
        
    $sql_insert=mysql_query("INSERT INTO addresses (email, dateTime) 
        VALUES('
    $email',now())") or die (mysql_error());
        
        
        
    $msg_to_user='<div class="msg_to_user_success" style="margin-top: 10px;">You have been added successfully.</div>';    
        
    $email="";
        }else { 
    $msg_to_user '<div class="msg_to_user" style="margin-top: 10px;">Invalid email address, please try again. </div>'; }
        }
        }
    ?>

  7. #7
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,097
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Yup
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  8. #8
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Yep, thats an acceptable way of doing it.

    You are using mysql_escape_string to escape input which could have been tampered with in order to protect the next recipient of that data, ie mysql.

    Bear in mind that when you then go on and extract that lump of data again, this time say for display in a webpage as html, it is again incumbent upon you to escape that data again, for the next recipient ie a webpage (htmlentities, htmlspecialchars and so on)

    This is the EO part of the FIEO mantra which you need to understand in order to protect yourself and others from attacks.

    Filter Input Escape Output
    Last edited by Cups; Dec 7, 2010 at 09:33. Reason: Darn too slow to reply again ....

  9. #9
    SitePoint Evangelist
    Join Date
    Aug 2010
    Posts
    503
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Brilliant, thank you guys. Just wanted to make sure I have been implementing the mysql_real_escape_string correctly. Appreciate the help.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •