coxdabd
December 7, 2010, 11:58am
1
Hi guys, where do I need to place the mysql_real_escape_string to in my code. Tried looking around but can’t figure it.
<html>
<head>
<title>Print Database</title>
<style type="text/css">
body {
font-family: Arial, Helvetica, sans-serif;
font-size: 10px;
margin: 0px 0px 0px 0px;
}
.id {
font-size: 10px;
font-family: Arial, Helvetica, sans-serif;
width: 35px;
font-weight: bold;
float: left;
margin-right: 0px;
}
.name {
font-size: 10px;
font-family: Arial, Helvetica, sans-serif;
font-weight: normal;
width: 200px;
float: left;
}
.price {
font-size: 10px;
font-family: Arial, Helvetica, sans-serif;
width: 50px;
float: left;
font-weight: bold;
text-align: right;
}
.description {
font-weight: normal;
float: left;
width: 560px;
margin-bottom: 5px;
margin-left: 40px;
}
.condition {
font-size: 10px;
font-family: Arial, Helvetica, sans-serif;
font-weight: normal;
width: 110px;
float: left;
margin-left: 20px;
}
</style>
</head>
<body>
<div style="float: left;"><h1>Used Products - Database Pull</h1></div>
<?php
include_once('connection.php');
$query = "SELECT
products.products_id,
products_description.products_name,
products.products_status,
products.products_price,
products.used_condition,
products.actuations
FROM products
INNER JOIN products_description
ON products.products_id = products_description.products_id";
$result = mysql_query($query) or die (mysql_error());
$vat = 1.175;
//Print out Results
while ($row = mysql_fetch_array($result)){
//Main DIV Wrapper
echo "<div style='width: 100%; margin-bottom: 0px; padding: 6px 0px 6px 0px; border-bottom: solid #000000 1px; float: left;'>";
//Products ID Print
echo "<div class='id'>".$row['products_id']."</div>";
//Products Name Print
echo "<div class='name'>".$row['products_name']."</div>";
//Products Price Print
echo "<div class='price'>£".number_format($row['products_price']*$vat)."</div>";
//Products Used Condition Print
if ($row['used_condition'] == NULL) {
echo "<div class='condition'>Condition: <strong>N/A</strong></div>";}
else {echo "<div class='condition'>Condition: <strong>".$row['used_condition']."</strong></div>";}
//Products Actuations Print
if ($row['actuations'] == NULL) {
echo "<div class='condition'>Actuations: <strong>N/A</strong></div>";}
else {echo "<div class='condition'>Actuations: <strong>".$row['actuations']."</strong></div>";}
//Products Hidden/Visible Print
if ($row['products_status'] > 0) {
echo "";}
else {echo "<div style='font-weight: bold; margin: 0px 0px 0px 20px; float: left;'>Hidden</div>";}
//Main DIV Wrapper Closing Tag
echo "</div>";}
?>
</body>
</html>
system
December 7, 2010, 12:01pm
2
I usually include it in the actual query
$query = 'select * from tblUser where fldUsername = "'.mysql_real_escape_string($username).'"';
Depending upon the situation, I usually use the function with all the user input data whether they are passed via URL (GET) or form (POST) before using in the database query.
Hi, thank you both for your messages. Where would you place the real_escape in my above code? Just don’t know where to place it.
rpkamp
December 7, 2010, 2:26pm
5
You’re not using any PHP variables in the query you’re running, so you don’t need mysql_real_escape string for this query at all.
Where you use it is if you want to show just one product based on a products_id, like so:
$query="SELECT
products.products_id,
products_description.products_name,
products.products_status,
products.products_price,
products.used_condition,
products.actuations
FROM products
INNER JOIN products_description
ON products.products_id = products_description.products_id
WHERE products.products_id=".mysql_real_escape_string($product_id);
rpkamp:
You’re not using any PHP variables in the query you’re running, so you don’t need mysql_real_escape string for this query at all.
Where you use it is if you want to show just one product based on a products_id, like so:
$query="SELECT
products.products_id,
products_description.products_name,
products.products_status,
products.products_price,
products.used_condition,
products.actuations
FROM products
INNER JOIN products_description
ON products.products_id = products_description.products_id
WHERE products.products_id=".mysql_real_escape_string($product_id);
Hi, thanks for your reply. Right ok I understand now. So the following script would be acceptable to use and would indeed work?
<?php
error_reporting(0);
include('tpl_includes/header.php');
$email = "";
$msg_to_user = "";
if ($_POST['email']!=""){
include_once "connection.php";
$email = mysql_real_escape_string($_POST['email']);
$sql = mysql_query("SELECT * FROM addresses WHERE email='$email'");
$numRows = mysql_num_rows($sql);
if (!$email){
$msg_to_user = '<div class="msg_to_user" style="margin-top: 10px;">Please type an email address.</div>';
}
else if ($numRows>0){
$msg_to_user = '<div class="msg_to_user" style="margin-top: 10px;">'.$email.' is already in the system.</div>';
}
else {
if(false !== filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)){
$sql_insert=mysql_query("INSERT INTO addresses (email, dateTime)
VALUES('$email',now())") or die (mysql_error());
$msg_to_user='<div class="msg_to_user_success" style="margin-top: 10px;">You have been added successfully.</div>';
$email="";
}else { $msg_to_user = '<div class="msg_to_user" style="margin-top: 10px;">Invalid email address, please try again. </div>'; }
}
}
?>
Cups
December 7, 2010, 3:33pm
8
Yep, thats an acceptable way of doing it.
You are using mysql_escape_string to escape input which could have been tampered with in order to protect the next recipient of that data, ie mysql.
Bear in mind that when you then go on and extract that lump of data again, this time say for display in a webpage as html, it is again incumbent upon you to escape that data again, for the next recipient ie a webpage (htmlentities, htmlspecialchars and so on)
This is the EO part of the FIEO mantra which you need to understand in order to protect yourself and others from attacks.
Filter Input Escape Output
Brilliant, thank you guys. Just wanted to make sure I have been implementing the mysql_real_escape_string correctly. Appreciate the help.