SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Addict tlacaelelrl's Avatar
    Join Date
    Apr 2011
    Location
    Mexico city, Mexico
    Posts
    353
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    mysql_real_escape_string strips all content

    Hello,

    I have some strings which I am running against mysql_real_escape_string and it returns an empty string here is a sample string

    PHP Code:
    //array value ["street"]=> string(16) "2324 W Burton St" )
    echo mysql_real_escape_string $_POST["street"] ); 
    That prints nothing in the page, the code works in local host it doesnt in the server (bluehost)
    Do you get bothered because I do the same thing every day?
    Do you question why I do it?
    Then find something that you actually like doing!!!

    Stop thinking on what I do.

  2. #2
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,412
    Mentioned
    149 Post(s)
    Tagged
    4 Thread(s)
    mysql_real_escape_string doesn't strip anything, so if the result is empty, probably the input was empty.
    Try
    PHP Code:
    echo 'street: ' $_POST['street'] . '<br />';  
    echo 
    'escaped street : ' mysql_real_escape_string $_POST['street'] ); 

  3. #3
    SitePoint Addict tlacaelelrl's Avatar
    Join Date
    Apr 2011
    Location
    Mexico city, Mexico
    Posts
    353
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I actually tried that and also var_dump, the value I added in my first post is the value being processed, the exact same code works in my local machine it just does not work in the server and also only happens to the values passed to the mysql_real_escape_string all other post values like int which I cast or I do a regular expression search work just fine, this is what I'm doing
    PHP Code:
        $street = isset ( $_POST["street"] )  ? mysql_real_escape_string $_POST["street"] ) : "";
        
    $town = isset ( $_POST["town"] )  ? mysql_real_escape_string $_POST["town"] ) : "";
        
    $city = isset ( $_POST["city"] )  ? mysql_real_escape_string $_POST["city"] ) : "";
        
    $state = isset ( $_POST["state"] )  ? mysql_real_escape_string $_POST["state"] ) : "";
        
    $country = isset ( $_POST["country"] )  ? mysql_real_escape_string $_POST["country"] ) : "";
        
    $zipcode = isset ( $_POST["zipcode"] )  ? mysql_real_escape_string $_POST["zipcode"] ) : "";
        
    $coordinates = isset ( $_POST["coordinates"] )  ? preg_replace "/[^0-9,.-]/"""$_POST["coordinates"] ) : "";
        
    $phone = isset ( $_POST["phone"] )  ? preg_replace "/[^0-9]/"""$_POST["phone"] ) : "";
        
    $website = isset ( $_POST["website"] )  ? filter_var $_POST["website"], FILTER_VALIDATE_URL ) : "";
        
    $favoritebook = isset ( $_POST["favoritebook"] )  ? mysql_real_escape_string $_POST["favoritebook"] ) : "";
        
    $aboutme = isset ( $_POST["aboutme"] )  ? mysql_real_escape_string $_POST["aboutme"] ) : ""
    When I do var_dump all values are there this is it

    PHP Code:
    array(14) { ["uid"]=> string(2"54" ["coordinates"]=> string(40"(39.950471420868766, -82.93292737500002)" ["street"]=> string(19"2419 S Havenwood Dr" ["town"]=> string(13"East Columbus" ["city"]=> string(8"Franklin" ["state"]=> string(4"Ohio" ["country"]=> string(13"United States" ["zipcode"]=> string(5"43209" ["phone"]=> string(7"8765432" ["website"]=> string(26"http://www.tlacaelelrl.com" ["favoritebook"]=> string(9"some book" ["aboutme"]=> string(9"some info" ["birthdate"]=> string(10"01/04/1983" ["option"]=> string(17"com_fantasyleague" 
    Do you get bothered because I do the same thing every day?
    Do you question why I do it?
    Then find something that you actually like doing!!!

    Stop thinking on what I do.

  4. #4
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,747
    Mentioned
    65 Post(s)
    Tagged
    0 Thread(s)
    Sanity Check: You have instantiated a database connection before these lines of code, correct?
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  5. #5
    SitePoint Addict tlacaelelrl's Avatar
    Join Date
    Apr 2011
    Location
    Mexico city, Mexico
    Posts
    353
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Yes, my problem was that I was using mysql and had to use mysqli, thank you all for your help!
    Do you get bothered because I do the same thing every day?
    Do you question why I do it?
    Then find something that you actually like doing!!!

    Stop thinking on what I do.

  6. #6
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,608
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by tlacaelelrl View Post
    Yes, my problem was that I was using mysql and had to use mysqli, thank you all for your help!
    If you are using mysqli then why don't you use prepare/bind for your database calls and do away with the need to escape anything.

    Also you should never run the escape directly on the raw inpit field - you should always validate post fields first before using them in any code at all.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  7. #7
    SitePoint Member
    Join Date
    Oct 2011
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    Also you should never run the escape directly on the raw inpit field - you should always validate post fields first before using them in any code at all.
    @Felgall, just wondering why you say this? Is there any reason other than say performance, eg if the field is blank no need to escape?

  8. #8
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,412
    Mentioned
    149 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by travo View Post
    @Felgall, just wondering why you say this? Is there any reason other than say performance, eg if the field is blank no need to escape?
    Unless you don't care what the value is you're going to save in the database, you should validate user input because you never know what values your script will receive.
    If you need a date, you'll have to make sure the received value is a valid date.
    If you need one of a given set of values, for example 'red' 'yellow' or 'blue', you should make sure the received value is one of those before saving it in the database.

    Even if you create a form with select boxes with the allowed values, that doesn't mean someone can't "hack" it and send your script other values.

  9. #9
    SitePoint Member
    Join Date
    Oct 2011
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah I get that, but he said never to escape unvalidated data, which I thought was a bit too strict. As you say, there are times you don't care what goes in, or if the data even exists.

    As I was reading I was wondering if there was some overhead related with mysql(i)_real_escape_string() that I hadn't read about which would call validation to try to limit its use, but it seems not Thanks for clarifying.

  10. #10
    SitePoint Addict tlacaelelrl's Avatar
    Join Date
    Apr 2011
    Location
    Mexico city, Mexico
    Posts
    353
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I do check and make sure if an expected value is correct like the date, but as far as the name or address goes how could I validate?
    Do you get bothered because I do the same thing every day?
    Do you question why I do it?
    Then find something that you actually like doing!!!

    Stop thinking on what I do.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •