Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New Coder
    Join Date
    Apr 2007
    Posts
    18
    Thanks
    0
    Thanked 0 Times in 0 Posts

    A few questions.

    - Why when i add slashes before i use a quary and then remove them, i still have slashes when i output the variable?
    - Does any1 has a guide about checking what characters the user has typed so i could give an error if the user type quotes or slashes?

    ty.

  • #2
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    I think the best option here would be to use mysql_real_escape_string() this way slashes and quotes are escaped before going into the database. No need to tell the user they can't type something. Besides thats just not user friendly. When you retrieve the data it should come back just fine, just as if the quotes and slashes were never escaped. This is how mysql works when you use the mysql_real_escape_string function. Its suggested that if magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice. Here is an example that checks to see if magic_quotes is enabled. If it is then it applies strip slashes to the data, then it use mysql_real_escape_string on the data.
    PHP Code:
    function escape_data ($data) {
    if (
    ini_get('magic_quotes_gpc')) {
    $data stripslashes($data);
    }
    return 
    mysql_real_escape_string ($data);

    Last edited by _Aerospace_Eng_; 07-23-2007 at 07:36 AM.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #3
    New Coder
    Join Date
    Apr 2007
    Posts
    18
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Then if i still see slashes, it means it has already been escaped before
    i used add slashes?
    why can't i just leave it if it has already been escaped
    instead of using mysql_real_escape_string?

    and about the charectors check, i also need it for forms where the user is suppost to type only numbers or things such as email.

    one last thing about cookies. if i insert the username into a cookie
    and then retrieve it back, it's still escaped? since it says
    mysql_real_escape_string


    thx again.

  • #4
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    See thats the thing you ONLY escape the data if its going into the database. You aren't going to store the cookie in the data base. Using mysql_real_escape_string is the secure way of storing data in a database to prevent mysql injection. http://us2.php.net/mysql_real_escape_string
    ||||If you are getting paid to do a job, don't ask for help on it!||||


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •