mysql_real_escape_string HELP!!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    if you put everything into single quotes and mysql_real_escape string then there cant be done much wrong.
    like
    PHP Code:
    $sql "select from users where username = '".mysql_real_escape_string($username)."' "
    same with inserts and updates

    or use intval() for integer values
    PHP Code:
    $sql "select from users where id = '".intval($id)."' "
    Advertise your mobile site for FREE with AdTwirl

    Comment


      #17
      Originally posted by GumSlone View Post
      if you put everything into single quotes and mysql_real_escape string then there cant be done much wrong.
      like
      PHP Code:
      $sql "select from users where username = '".mysql_real_escape_string($username)."' "
      same with inserts and updates

      or use intval() for integer values
      PHP Code:
      $sql "select from users where id = '".intval($id)."' "
      you mean to say that i have to use it in each single mysql call too????

      i am already tired of implementing it with get, post etc..

      do i have to do in sql queries too?

      Comment


        #18
        Originally posted by icedroplet1987 View Post
        you mean to say that i have to use it in each single mysql call too????

        i am already tired of implementing it with get, post etc..

        do i have to do in sql queries too?
        you have to do it like in my example
        PHP Code:
        $q mysql_query("select from users where username = '".mysql_real_escape_string($_GET['username'])."' "); 
        or
        PHP Code:
        mysql_query("UPDATE users SET age='".intval($_REQUEST['age'])."', user_infos='".mysql_real_escape_string($_REQUEST['user_infos'])."', user_location='".mysql_real_escape_string($_REQUEST['location'])."' WHERE username = '".mysql_real_escape_string($username)."' "); 
        or
        PHP Code:
        $age intval($_REQUEST['age']);
        $user_infos mysql_real_escape_string($_REQUEST['user_infos']);
        $location mysql_real_escape_string($_REQUEST['location']);
        $username mysql_real_escape_string($username);
        mysql_query("UPDATE users SET age='".$age."', user_infos='".$user_infos."', user_location='".$location."' WHERE username = '".$username."' "); 
        Advertise your mobile site for FREE with AdTwirl

        Comment


          #19
          Originally posted by GumSlone View Post
          you have to do it like in my example
          PHP Code:
          $q mysql_query("select from users where username = '".mysql_real_escape_string($_GET['username'])."' "); 
          or
          PHP Code:
          mysql_query("UPDATE users SET age='".intval($_REQUEST['age'])."', user_infos='".mysql_real_escape_string($_REQUEST['user_infos'])."', user_location='".mysql_real_escape_string($_REQUEST['location'])."' WHERE username = '".mysql_real_escape_string($username)."' "); 
          or
          PHP Code:
          $age intval($_REQUEST['age']);
          $user_infos mysql_real_escape_string($_REQUEST['user_infos']);
          $location mysql_real_escape_string($_REQUEST['location']);
          $username mysql_real_escape_string($username);
          mysql_query("UPDATE users SET age='".$age."', user_infos='".$user_infos."', user_location='".$location."' WHERE username = '".$username."' "); 
          i did as the last method.. same which methulj told.. willl it be ok?

          Comment


            #20
            Originally posted by icedroplet1987 View Post
            i did as the last method.. same which methulj told.. willl it be ok?
            if you do it the same way like in my examples everything will be ok.
            Advertise your mobile site for FREE with AdTwirl

            Comment


              #21
              Originally posted by GumSlone View Post
              if you do it the same way like in my examples everything will be ok.
              ok but i did as methulj mentioned.. covered all requests.. so its safe . right?

              have a look on methulj code sir.

              Comment


                #22
                @metulj - mysql_real_escape_string() cannot stand alone. . . Like what you did. . htmlspecialchars and striptags was added which is better.
                It's n0t that i am afraid to die. Its just that if i die, wh0 wilL loVe her as muCh as i Do?

                Comment


                  #23
                  Originally posted by analyzer View Post
                  @metulj - mysql_real_escape_string() cannot stand alone. . . Like what you did. . htmlspecialchars and striptags was added which is better.
                  of cause it can stand alone,
                  striptags and html special chars is another story, and we talk here about prevention of mysql injection, so mysql_real_escape_string will do the job.
                  Advertise your mobile site for FREE with AdTwirl

                  Comment


                    #24
                    Well i dont think there is more to add, Gumslone already said it all. Most developers on here confuse mysql_real_escape_string and htmlspecialchars. Ive seen a lot of times where some apps here pass data to the database using the htmlspecialchars function. Thats wrong. mysql_real_escape_string and proper coding practice can handle injection just fine. htmlspecialchars should be used ONLY to escape special characters that might be stored in the DB harmlessly but could come out to be potential XSS attacks. For instance someone posted in a forum:

                    Code:
                    <b>This is an injected html code.
                    When fetching from the database, it would save u alot of heartache if you just escape with htmlspecialchars that way the browser doesnt interprete the < b > as html tags but as string. Thats where that function comes into play, not for sql query escaping.

                    Comment

                    Working...
                    X