Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Super Moderator JohnDubya's Avatar
    Join Date
    Nov 2006
    Location
    Missouri
    Posts
    634
    Thanks
    12
    Thanked 18 Times in 18 Posts

    Do I have to have \' in my database with mysql_real_escape_string() ?

    Ok, so to prevent SQL injection, I've been trying to integrate mysql_real_escape_string() into my queries. Here's my code:

    PHP Code:
    $query sprintf("INSERT INTO user_receipts SET user_id = '$user_id', subcat_id = '%s', description = '%s', amount = '%f', date_of_receipt = '%s', created_at = NOW(), updated_at = NOW()",
                    
    mysql_real_escape_string($subcategorySelect),
                    
    mysql_real_escape_string($_POST['description']),
                    
    mysql_real_escape_string($NewAmount),
                    
    mysql_real_escape_string($date) );
                    
            
    $a mysql_query($query); 
    I found this sprintf() code somewhere and used it. It works great, but if the description has an apostrophe, the mysql_real_escape_string() puts a \ before it and sends it to the database. Then, every time I echo the description, it also echoes the \.

    My question is...is there a way to not send the \ to the database, or does it need to go? Should I just use stripslashes() every time I have to echo that field? Thanks.

  • #2
    Senior Coder chump2877's Avatar
    Join Date
    Dec 2004
    Location
    the U.S. of freakin' A.
    Posts
    2,838
    Thanks
    21
    Thanked 157 Times in 148 Posts
    My question is...is there a way to not send the \ to the database, or does it need to go? Should I just use stripslashes() every time I have to echo that field? Thanks.
    Yes, use stripslashes to read your database data...the easiest thing for you to do (if you have A LOT of database queries) is create or use some kind of MySQL abstraction class that automatically escapes data before it is inserted into your database and unescapes your data for presentation purposes. Then you don;t have to bother with adding mysql_real_escape_string and stripslashes to everything...

    http://www.google.com/search?q=php+m...ient=firefox-a
    http://www.phpclasses.org/browse/package/2329.html
    http://www.codingforums.com/showthre...traction+class
    Regards, R.J.

    ---------------------------------------------------------

    Help spread the word! Like my YouTube-to-Mp3 Conversion Script on Facebook !! :-)
    [Related videos and tutorials are also available at my YouTube channel and on Dailymotion]
    Get free updates about new software version releases, features, and bug fixes!
    ♪♪ …Need Web Hosting For My YouTube-To-Mp3 Conversion Software? Check Here !!… ♪♪

  • #3
    New Coder
    Join Date
    Sep 2006
    Posts
    51
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I would just create a drop in strip function, then call it if magic_quotes is on and use it on the SUPER GLOBAL you are using in your script, then turn magic_quotes off.

    the function...

    // strip global

    PHP Code:
    function strip_global ( &$item )
    {
        if ( 
    is_array  $item ) )
        {
            foreach ( 
    $item AS $k => $v )
            {
                if ( 
    is_string $v ) )
                {
                    
    $item[$k] = stripslashes $v );
                }
                else if ( 
    is_array $v ) )
                {
                    
    $item[$k] = strip_global $v );
                }
            }
        }

        return 
    $item;


    Then test if it's needed to be used...
    PHP Code:
    if ( get_magic_quotes_gpc () )
    {
        
    // script is expecting $_POST, so strip the SUPER GLOBAL $_POST

        
    $_POST strip_global $_POST);

        
    // now turn magic quotes off
        
    set_magic_quotes_runtime );
    }

    // now $_POST is ready to use with slashes removed 
    That will work fine on $_GET, $_POST, $_COOKIE, if you are using the $_FILES SUPER GLOBAL, you will need to walk through the array adding \\ to tmp_name before you run it through strip_global();, example for handling the $_FILES array

    PHP Code:
    if ( is_array $_FILES ) && ! empty ( $_FILES ) )
    {
        foreach ( 
    $_FILES AS $k => $v )
        {
            
    $_FILES[$k]['tmp_name'] = str_replace '\\''\\\\'$v['tmp_name'] );
        }
        
    $_FILES strip_global $_FILES );


  • #4
    Senior Coder Nightfire's Avatar
    Join Date
    Jun 2002
    Posts
    4,265
    Thanks
    6
    Thanked 48 Times in 48 Posts
    To add to the magic quotes bit above, here's what I use
    PHP Code:
    if(!get_magic_quotes_gpc()){
        
    $_GET array_map('mysql_real_escape_string'$_GET);
        
    $_POST array_map('mysql_real_escape_string'$_POST);
        
    $_COOKIE array_map('mysql_real_escape_string'$_COOKIE);


  • #5
    New Coder
    Join Date
    Sep 2006
    Posts
    51
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Nightfire View Post
    To add to the magic quotes bit above, here's what I use
    PHP Code:
    if(!get_magic_quotes_gpc()){
        
    $_GET array_map('mysql_real_escape_string'$_GET);
        
    $_POST array_map('mysql_real_escape_string'$_POST);
        
    $_COOKIE array_map('mysql_real_escape_string'$_COOKIE);

    But that will not work on associate arrays, you need to loop so you treat each key => value based on what it is!

    PHP Code:
    <?

    // maybe a checkbox array <input type='checkbox' name='array[array_key_1]' value='array_value_1' />

    $_POST = array ( 'item' => 'item_value''array' => array ( 'array_key_1' => 'array_value_1' ) );

    // will give a warning (mysql_real_escape_string() expects parameter 1 to be string, array given)

    $_POST array_map('mysql_real_escape_string'$_POST);


    ?>


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •