Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    Regular Coder
    Join Date
    Sep 2009
    Location
    Calgary, Alberta
    Posts
    239
    Thanks
    47
    Thanked 3 Times in 3 Posts

    Help with mysql_real_escape_string

    What is the proper use of mysql_real_escape_sting on a post to database or a retrieval from the database

    Thanks in advance.

    Slayer.

  • #2
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,343
    Thanks
    60
    Thanked 527 Times in 514 Posts
    Blog Entries
    4
    You use it on anything you insert into the database that is a string. You can check that by using the function is_string() however I just use it on everything - string, integer, double etc. Anything goes as far as I'm concerned. If its numeric then it won't do anything to it so no harm done.

    As for pulling stuff out, no you don't use it there. Read the php manual and repeat reading it until you understand it.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #3
    Regular Coder
    Join Date
    Sep 2009
    Location
    Calgary, Alberta
    Posts
    239
    Thanks
    47
    Thanked 3 Times in 3 Posts
    I was reading the manual prior to coming on here to post..

    Hence the reason I am here.. The pho manuals an etc are speaking something else other than what I do..

    Or whatever reason it just did not seem clear.

    Thanks for your info tangoforce.

    Would you happen to have an example on post to the DB.

    thanks, Slayer

  • #4
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,343
    Thanks
    60
    Thanked 527 Times in 514 Posts
    Blog Entries
    4
    PHP Code:
    <?php
    //Get data from post array
    $Name $_POST['name']; //name is the fields name - eg <input type="text" name="name">

    //Say $Name contains O'Neil - This will turn it into O\'Neil which tells mysql to ignore the ' character that could otherwise cause SQL problems / injection.
    $Name mysql_real_escape_string($Name);

    mysql_query("insert into names (`name`) values ('$Name')");
    ?>
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • Users who have thanked tangoforce for this post:

    SlayerACC (04-30-2012)

  • #5
    Regular Coder
    Join Date
    Sep 2009
    Location
    Calgary, Alberta
    Posts
    239
    Thanks
    47
    Thanked 3 Times in 3 Posts
    Thank you,

    Tango..

  • #6
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,343
    Thanks
    60
    Thanked 527 Times in 514 Posts
    Blog Entries
    4
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #7
    Regular Coder
    Join Date
    Sep 2009
    Location
    Calgary, Alberta
    Posts
    239
    Thanks
    47
    Thanked 3 Times in 3 Posts
    Sorry second question to this topic.

    Can I use this ?
    PHP Code:
    $home=mysql_real_escape_string($_POST[home]); 

    Thanks, Slayer

  • #8
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Did you try it? Does it work? You can answer your own question you know. Also you should check to see if magic quotes is enabled. If so you need to stripslashes on the data or your data will be escaped twice which will effect how you bring it out of the database. I've always just done stripslashes on the data without checking to see if magic quotes is on.
    PHP Code:
    $home=mysql_real_escape_string(stripslashes($_POST['home'])); 
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #9
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,343
    Thanks
    60
    Thanked 527 Times in 514 Posts
    Blog Entries
    4
    Quote Originally Posted by SlayerACC View Post
    Sorry second question to this topic.

    Can I use this ?
    PHP Code:
    $home=mysql_real_escape_string($_POST[home]); 

    Thanks, Slayer
    Yes but as Aerospace has pointed out you need single quotes in there. You might find the TIP link in my signature useful (the one about quotes).
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #10
    Regular Coder
    Join Date
    Sep 2009
    Location
    Calgary, Alberta
    Posts
    239
    Thanks
    47
    Thanked 3 Times in 3 Posts
    Awesome.. Thanks again Tango..


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •