Where to Place mysql_real_escape_string

PHP
1

Hi guys, where do I need to place the mysql_real_escape_string to in my code. Tried looking around but can’t figure it.

<html>
	<head>
		<title>Print Database</title>
<style type="text/css">
body {
font-family: Arial, Helvetica, sans-serif;
font-size: 10px;
margin: 0px 0px 0px 0px;
}
.id {
font-size: 10px;
font-family: Arial, Helvetica, sans-serif;
width: 35px;
font-weight: bold;
float: left;
margin-right: 0px;
}
.name {
font-size: 10px;
font-family: Arial, Helvetica, sans-serif;
font-weight: normal;
width: 200px;
float: left;
}
.price {
font-size: 10px;
font-family: Arial, Helvetica, sans-serif;
width: 50px;
float: left;
font-weight: bold;
text-align: right;
}
.description {
font-weight: normal;
float: left;
width: 560px;
margin-bottom: 5px;
margin-left: 40px;
}
.condition {
font-size: 10px;
font-family: Arial, Helvetica, sans-serif;
font-weight: normal;
width: 110px;
float: left;
margin-left: 20px;
}
</style>
	</head>
	<body>
<div style="float: left;"><h1>Used Products - Database Pull</h1></div>
	<?php
include_once('connection.php');
$query = "SELECT
    products.products_id,
    products_description.products_name,
    products.products_status,
	products.products_price,
	products.used_condition,
	products.actuations
	FROM products
	INNER JOIN products_description
	ON products.products_id = products_description.products_id";
$result = mysql_query($query) or die (mysql_error());
$vat = 1.175;

//Print out Results
while ($row = mysql_fetch_array($result)){
	//Main DIV Wrapper
	echo "<div style='width: 100%; margin-bottom: 0px; padding: 6px 0px 6px 0px; border-bottom: solid #000000 1px; float: left;'>";
	//Products ID Print
	echo "<div class='id'>".$row['products_id']."</div>";
	//Products Name Print
	echo "<div class='name'>".$row['products_name']."</div>";
	//Products Price Print
	echo "<div class='price'>£".number_format($row['products_price']*$vat)."</div>";
	//Products Used Condition Print
	if ($row['used_condition'] == NULL) {
	echo "<div class='condition'>Condition: <strong>N/A</strong></div>";}
	else {echo "<div class='condition'>Condition: <strong>".$row['used_condition']."</strong></div>";}
	//Products Actuations Print
	if ($row['actuations'] == NULL) {
	echo "<div class='condition'>Actuations: <strong>N/A</strong></div>";}
	else {echo "<div class='condition'>Actuations: <strong>".$row['actuations']."</strong></div>";}
	//Products Hidden/Visible Print
	if ($row['products_status'] > 0) {
	echo "";}
	else {echo "<div style='font-weight: bold; margin: 0px 0px 0px 20px; float: left;'>Hidden</div>";}
	//Main DIV Wrapper Closing Tag
	echo "</div>";}

?>
	</body>
</html>
2

I usually include it in the actual query

 
$query = 'select * from tblUser where fldUsername = "'.mysql_real_escape_string($username).'"';
3

Depending upon the situation, I usually use the function with all the user input data whether they are passed via URL (GET) or form (POST) before using in the database query.

4

Hi, thank you both for your messages. Where would you place the real_escape in my above code? Just don’t know where to place it.

5

You’re not using any PHP variables in the query you’re running, so you don’t need mysql_real_escape string for this query at all.

Where you use it is if you want to show just one product based on a products_id, like so:


$query="SELECT
    products.products_id,
    products_description.products_name,
    products.products_status,
    products.products_price,
    products.used_condition,
    products.actuations
    FROM products
    INNER JOIN products_description
    ON products.products_id = products_description.products_id
    WHERE products.products_id=".mysql_real_escape_string($product_id);
6

Hi, thanks for your reply. Right ok I understand now. So the following script would be acceptable to use and would indeed work?

<?php
error_reporting(0);
include('tpl_includes/header.php'); 
$email = "";
$msg_to_user = "";
if ($_POST['email']!=""){
	include_once "connection.php";
	
	$email = mysql_real_escape_string($_POST['email']);
	
	$sql = mysql_query("SELECT * FROM addresses WHERE email='$email'");
	$numRows = mysql_num_rows($sql);
	
	if (!$email){
	$msg_to_user = '<div class="msg_to_user" style="margin-top: 10px;">Please type an email address.</div>';
	}
	
	else if ($numRows>0){
	$msg_to_user = '<div class="msg_to_user" style="margin-top: 10px;">'.$email.' is already in the system.</div>';
	}
	else {
	if(false !== filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)){
	$sql_insert=mysql_query("INSERT INTO addresses (email, dateTime) 
	VALUES('$email',now())") or die (mysql_error());
	
	
	$msg_to_user='<div class="msg_to_user_success" style="margin-top: 10px;">You have been added successfully.</div>';	
	$email="";
	}else { $msg_to_user = '<div class="msg_to_user" style="margin-top: 10px;">Invalid email address, please try again. </div>'; }
	}
	}
?>
7

Yup :tup:

8

Yep, thats an acceptable way of doing it.

You are using mysql_escape_string to escape input which could have been tampered with in order to protect the next recipient of that data, ie mysql.

Bear in mind that when you then go on and extract that lump of data again, this time say for display in a webpage as html, it is again incumbent upon you to escape that data again, for the next recipient ie a webpage (htmlentities, htmlspecialchars and so on)

This is the EO part of the FIEO mantra which you need to understand in order to protect yourself and others from attacks.

Filter Input Escape Output

9

Brilliant, thank you guys. Just wanted to make sure I have been implementing the mysql_real_escape_string correctly. Appreciate the help.