mysql_real_escape_string HELP!!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    mysql_real_escape_string HELP!!

    Hey friends, i will like to know if i parse all data thru

    mysql_real_escape_string

    then will it protect my site from sql injection?? and its dark-sides?? any harm using it??

    likewise this for all get , post, server etc

    $msg = mysql_real_escape_string( $_GET['msg'] );

    please leave your valuable comments @ all

    #2
    yes it will
    Advertise your mobile site for FREE with AdTwirl

    Comment


      #3
      thnx sir

      Comment


        #4
        how-to here?

        PHP Code:
        if($message!=""){
        if(
        isspam($message))$spam=" reported='1',";
        else 
        $spam="";
        $res=mysql_query("INSERT INTO inbox SET text='".$message."', byid='".getuid_sid($sid)."', toid='".$who."',$spam timesent='".time()."'"); 
        Last edited by arnage; 26.05.12, 14:58.

        Comment


          #5
          rep

          Originally posted by eynesilli View Post
          if($message!=""){
          if(isspam($message))$spam=" reported='1',";
          else $spam="";
          $res=mysql_query("INSERT INTO inbox SET text='".$message."', byid='".getuid_sid($sid)."', toid='".$who."',$spam timesent='".time()."'");

          What do u mean by how to plz describe.
          ImPoSsIbLe iS nOthInG aS ImPoSsible ItSelF SaYs "I M POSSIBLE"

          Comment


            #6
            Originally posted by icedroplet1987 View Post
            Hey friends, i will like to know if i parse all data thru

            mysql_real_escape_string

            then will it protect my site from sql injection?? and its dark-sides?? any harm using it??

            likewise this for all get , post, server etc

            $msg = mysql_real_escape_string( $_GET['msg'] );

            please leave your valuable comments @ all
            not always but depends on how your mysql query's are scripted
            mysql_real_escape_string() backslashes things such as ' and " however an injection can be as simple as:
            PHP Code:
            OR 
            (no quotes ^ )

            Originally posted by eynesilli View Post
            if($message!=""){
            if(isspam($message))$spam=" reported='1',";
            else $spam="";
            $res=mysql_query("INSERT INTO inbox SET text='".$message."', byid='".getuid_sid($sid)."', toid='".$who."',$spam timesent='".time()."'");
            use:
            [php]
            $message = mysql_real_escape_string($message);

            Comment


              #7
              mysql_real_escape_string() will not be enough brother.
              It's n0t that i am afraid to die. Its just that if i die, wh0 wilL loVe her as muCh as i Do?

              Comment


                #8
                Originally posted by icedroplet1987 View Post
                Hey friends, i will like to know if i parse all data thru
                mysql_real_escape_string
                then will it protect my site from sql injection?? and its dark-sides?? any harm using it??
                likewise this for all get , post, server etc

                $msg = mysql_real_escape_string( $_GET['msg'] );

                please leave your valuable comments @ all
                Originally posted by analyzer View Post
                mysql_real_escape_string() will not be enough brother.
                i dont see why that wouldnt be enough...?? you mind to explain ?

                other than that... i do prefer this
                PHP Code:
                $msg mysql_real_escape_string(strip_tags(htmlspecialchars($_GET['msg']))); 
                just to ''sleep better''
                It's better to keep your mouth shut and give the impression that you're stupid, than to open it and remove all doubt.
                ⓣⓗⓔ ⓠⓤⓘⓔⓣⓔⓡ ⓨⓞⓤ ⓑⓔ©ⓞⓜⓔ, ⓣⓗⓔ ⓜⓞⓡⓔ ⓨⓞⓤ ⓐⓡⓔ ⓐⓑⓛⓔ ⓣⓞ ⓗⓔⓐⓡ !
                ιη тнєσяу, тнє ρяα¢тι¢є ιѕ α яєѕυℓт σƒ тнє тнєσяу, вυт ιη ρяα¢тι¢є ιѕ тнє σρρσѕιтє.
                キノgんイノ刀g 4 ア乇ムc乇 ノ丂 レノズ乇 キucズノ刀g 4 √ノ尺gノ刀ノイリ!

                Comment


                  #9
                  Originally posted by something else View Post
                  not always but depends on how your mysql query's are scripted
                  mysql_real_escape_string() backslashes things such as ' and " however an injection can be as simple as:
                  PHP Code:
                  OR 
                  (no quotes ^ )



                  use:
                  [php]
                  $message = mysql_real_escape_string($message);

                  Thanks, but still did not understand anything

                  Comment


                    #10
                    thnx methulj brother.. please also tell, anything wrong in using this?? as i am sure it will protect injection but any harm of it??

                    other question, i can i make sessions do not expire.. means if user switch off broser n then switch on then also he should be logged in .. just like vbulletin remember me option.. i saw a lavalair site with sessions showing n secured too.. how is it possible n his sessions doesnt expire untill you logout or remove chache.. please enlight this question too @ all..

                    Comment


                      #11
                      Originally posted by icedroplet1987 View Post
                      thnx methulj brother.. please also tell, anything wrong in using this?? as i am sure it will protect injection but any harm of it??

                      other question, i can i make sessions do not expire.. means if user switch off broser n then switch on then also he should be logged in .. just like vbulletin remember me option.. i saw a lavalair site with sessions showing n secured too.. how is it possible n his sessions doesnt expire untill you logout or remove chache.. please enlight this question too @ all..
                      i wouldnt use ednless session...
                      if browser and/or IP has been changed,
                      i believe it is correct that session is ended
                      i might be wrong, but i think that way session is also a bit more secured
                      It's better to keep your mouth shut and give the impression that you're stupid, than to open it and remove all doubt.
                      ⓣⓗⓔ ⓠⓤⓘⓔⓣⓔⓡ ⓨⓞⓤ ⓑⓔ©ⓞⓜⓔ, ⓣⓗⓔ ⓜⓞⓡⓔ ⓨⓞⓤ ⓐⓡⓔ ⓐⓑⓛⓔ ⓣⓞ ⓗⓔⓐⓡ !
                      ιη тнєσяу, тнє ρяα¢тι¢є ιѕ α яєѕυℓт σƒ тнє тнєσяу, вυт ιη ρяα¢тι¢є ιѕ тнє σρρσѕιтє.
                      キノgんイノ刀g 4 ア乇ムc乇 ノ丂 レノズ乇 キucズノ刀g 4 √ノ尺gノ刀ノイリ!

                      Comment


                        #12
                        but as i said, i saw site with sessions arent hidden n even not destroying (endless) n perfectly secured thats why i asked so.. if you know you or anybody else on this forum knows it then please share the information on this or codes too.

                        Added after 10 minutes:

                        Originally posted by metulj View Post
                        i dont see why that wouldnt be enough...?? you mind to explain ?

                        other than that... i do prefer this
                        PHP Code:
                        $msg mysql_real_escape_string(strip_tags(htmlspecialchars($_GET['msg']))); 
                        just to ''sleep better''
                        and bro, should i parse even $_session , $_server from it.. // i mean all requests??
                        Last edited by icedroplet1987; 26.05.12, 19:10.

                        Comment


                          #13
                          Originally posted by icedroplet1987 View Post
                          but as i said, i saw site with sessions arent hidden n even not destroying (endless) n perfectly secured thats why i asked so.. if you know you or anybody else on this forum knows it then please share the information on this or codes too.

                          Added after 10 minutes:



                          and bro, should i parse even $_session , $_server from it.. // i mean all requests??
                          Code:
                          function clean($do = null){
                          return isset($do) ? mysql_real_escape_string(strip_tags(htmlspecialchars(trim($do)))) : null;
                          }
                          useage
                          Code:
                          echo clean($_POST['var']);//For Post
                          echo clean($_GET['var']);//FOR get
                          echo clean($_SERVER['var']);//FOR server

                          Comment


                            #14
                            Originally posted by icedroplet1987 View Post
                            Hey friends, i will like to know if i parse all data thru

                            mysql_real_escape_string

                            then will it protect my site from sql injection?? and its dark-sides?? any harm using it??

                            likewise this for all get , post, server etc

                            $msg = mysql_real_escape_string( $_GET['msg'] );

                            please leave your valuable comments @ all
                            you may find this link helpful

                            note : below link contains useful info + free some kinda malware so beware :P
                            http://www.itshacked.com/350/bypassi...-possible.html

                            Exploiting hard filtered SQL Injections

                            also if you don't provide proper charset type, mysql_real_escape_string can't help you, cause default charset is set to UTF-8 according to php bugs report it is fixed way back in 2006 but i still found it working on some sites but not all .
                            Last edited by StunningNick; 26.05.12, 21:46. Reason: note added :///

                            Comment


                              #15
                              si, is it not safe what methulj is using ha?

                              Comment

                              Working...
                              X