I will be using prepared statement soon but just wondering if my syntax below are correct with mysqli_real_string_escape: for tinyint?
$expired = mysqli_real_escape_string($conn, $expired =0);
$user_activate = mysqli_real_escape_string($conn, $user_activate = 0);
or do I need a quotation around the numbers?
$expired = mysqli_real_escape_string($conn, $expired ='0');
$user_activate = mysqli_real_escape_string($conn, $user_activate = '0');
I would recommend to just use Prepared Statements, this escaping stuff is so weird in 2018.
Escaping… who is still teaching people this stuff. They removed mysql_* functions left mysqli_* which basically has the same interface. Even PDO has escaping functions. What is going on when people still ask these questions and don’t understand the importance / concept of separating data / input from the query. Maybe the old php books just need to be burned. It is ridiculous that we are still dealing with these types of questions. Isn’t that the reason why they removed mysql_* functions from php in the first place. Great job… lol The only correct way to have code interact with the database is to separate the query from the data input using prepared statements that don’t embed data into the query string but use variable binding. The only correct way.
How many times?
Using mysqli_real_string_escape in 2018 is incorrect!
Stop following out-dated tutorials, find some up-to-date resources, start coding properly.
Anyone who tells you otherwise and encourages you to continue learning/using this old stuff is doing you a disservice.
Do it now!
I will be doing it very soon… just be patient because I am trying to learn and understand php as I am new and find it very interesting…
You need to be learning current PHP, as a beginner you are poisoning yourself with old code.
Non-prepared queries don’t help you with anything except for maybe getting your site hacked. There is no reason not to use prepared queries. None.
Now that all you know about PHP is relatively new would be a good time to unlearn stuff that is just bad and replace it with stuff that is good. Start with the right foundation and you might get somewhere. Start with the wrong foundation and your house collapses and you’ll need to start all over again.
@piano0011 - If you know an incoming variable is supposed to be an integer then a simple type cast is all you need to escape it:
$expired = (int)$_POST['expired'];
Guaranteed that any harmful sql injection stuff will go away. Of course you should still just use prepared statements for this sort of stuff but there is value in making sure that integer variables really are integers.
And just one more suggestion: Instead of asking and then having to sort through different opinions why not just try it? It’s easy to run php from the command line and setting up small test cases is a good way to learn behavior.
Thanks for the suggestions… i guess that i should always test my code by seeing if it will echo it out or not
It’s as much about validation as about sanitisation. It’s always a good idea to check that the values received are what you expect them to be. Not only does it ensure they are clean, but you avoid/deal-with errors too.
It actually goes one step further. For html forms, everything is pretty much posted as a string including integers, booleans and reals. So type casting when reading posted values can ensure that your php variables are of the correct type and bypass downstream php type juggling “features”.
Echoing is a good start. Eventually you will want to explore the wonderful world of automated testing. PHPUnit is perhaps the most popular php testing framework. Always something more to learn.
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.