FRIHOSTFORUMSFAQTOSBLOGSDIRECTORY
You are invited to Log in or Register a Frihost Account!

mysql_real_escape_string question

   Frihost Forum Index -> Scripting -> Php and MySQL
 


DoctorBeaver
I've been looking through a few mySQL tutorials and I've come across this at http://www.scit.wlv.ac.uk/appdocs/php/function.mysql-real-escape-string.html

"mysql_real_escape_string ( string unescaped_string [, resource link_identifier])

You must always (with few exceptions) use this function to make your data safe before sending a query to MySQL. If you have magic_quotes_gpc enabled, and you are working with data from user input, you must first stripslashes() your data. If your data are form other sources and you have magic_quotes_runtime enabled, you also have to stripslashes() your data. If you don't do so, you leave yourself open to SQL Injection Attacks."

No other tutorials I've read have mentioned this. Does anyone know about it? Does anyone use this?

Also, can someone explain exactly what magic_quotes_gpc, magic_quotes_runtime, or anything else to do with magic_quotes are? I've read the entry in the tutorial but I don't really understand it.
AftershockVibe
It basically escapes any character which can be used to nest a SQL query within another query or may confuse the database - basically it's things like line feed, return carriage, the two types of quote mark, semicolon.

If you have a search box designed to look for one text string then without removing quotes and other special characters used in regular expressions it is possible to perform SQL Injection exploits.

See here for how this works;
http://en.wikipedia.org/wiki/Sql_injection

Magic Quotes are PHPs implementation of strings for idiots. Basically, if they are enabled on the server then it allows you to put variables in the middle of unescaped strings and for PHP to still work as intended.

eg.
Code:
$Name = "John";
echo "My name is $Name";

In all normal languages will print just that: My name is $Name but PHP uses magic quotes to work out that you meant to actually put
Code:
$Name = "John";
echo "My name is " . $Name;


It is mostly more annoying to existing programmers than useful. Luckily I'm a Brit so rarely use the dollar sign.
snowboardalliance
AftershockVibe wrote:
It basically escapes any character which can be used to nest a SQL query within another query or may confuse the database - basically it's things like line feed, return carriage, the two types of quote mark, semicolon.

If you have a search box designed to look for one text string then without removing quotes and other special characters used in regular expressions it is possible to perform SQL Injection exploits.

See here for how this works;
http://en.wikipedia.org/wiki/Sql_injection

Magic Quotes are PHPs implementation of strings for idiots. Basically, if they are enabled on the server then it allows you to put variables in the middle of unescaped strings and for PHP to still work as intended.

eg.
Code:
$Name = "John";
echo "My name is $Name";

In all normal languages will print just that: My name is $Name but PHP uses magic quotes to work out that you meant to actually put
Code:
$Name = "John";
echo "My name is " . $Name;


It is mostly more annoying to existing programmers than useful. Luckily I'm a Brit so rarely use the dollar sign.


Umm, magic_quotes just means php runs add slashes on all get/post variables. You are talking about variable interpolation.
DoctorBeaver
snowboardalliance wrote:


Umm, magic_quotes just means php runs add slashes on all get/post variables. You are talking about variable interpolation.


Confused

But it also says there to use stripslashes(). What the hell is the point of adding / and then removing it?
snowboardalliance
DoctorBeaver wrote:
snowboardalliance wrote:


Umm, magic_quotes just means php runs add slashes on all get/post variables. You are talking about variable interpolation.


Confused

But it also says there to use stripslashes(). What the hell is the point of adding / and then removing it?


If you mysql_real_escape something WITH slashes, It will increase them even more than you want. So first you strip_slashes, then run mysql_real_escape. When you want to read the data, you strip_slashes.
It is better to use mysql_real_escape than just add_slashes.
DoctorBeaver
Thanks, SnowboardAlliance - it makes sense now
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2007 Frihost, forums powered by phpBB.