mysql real escape string help

Forum Moderators: coopster

Message Too Old, No Replies

mysql real escape string help

andrewsmd

3:56 pm on Dec 2, 2010 (gmt 0)

I'm trying to use this function and am having an issue. Here is my query

$query = "insert into messages(text, facebook, twitter, custom, up, down, date) values('{$input}', '{$fb}', '{$twt}', '{$cust}', 0, 0, '{$time}');";

That will return
insert into messages(text, facebook, twitter, custom, up, down, date) values('blah', 'Your facebook page', 'http://ts.com', 'Your blog or website', 0, 0, '1291305361');

when I use the function mysql_...($query); that returns
insert into messages(text, facebook, twitter, custom, up, down, date) values(\'asdf\', \'Your facebook page\', \'http://ts.com\', \'Your blog or website\', 0, 0, \'1291305209\');

I was under the impression you used this function to make your queries safe for insertion from malicious inserts. Am I understanding this wrong, because when I try to use it, it doesn't insert the data.

coopster

4:20 pm on Dec 2, 2010 (gmt 0)

You use the escape function on each value, not the entire query.

$input = mysql_real_escape_string($input);

See the PHP manual for more information onmysql_real_escape_string [php.net]

Also, 'date' is a reserved keyword in MySQL. Watch out what you are using for column names!
[dev.mysql.com...]

andrewsmd

4:25 pm on Dec 2, 2010 (gmt 0)

Oh, I never actually knew that. Thank you for the information.

JuicyScript

12:11 pm on Dec 3, 2010 (gmt 0)

Use can add this to your function.It is called mysql prep
Basically it adds all the slashes for you.

function mysql_prep( $value ) {
$magic_quotes_active = get_magic_quotes_gpc();
$new_enough_php = function_exists( "mysql_real_escape_string" ); // i.e. PHP >= v4.3.0
if( $new_enough_php ) { // PHP v4.3.0 or higher
// undo any magic quote effects so mysql_real_escape_string can do the work
if( $magic_quotes_active ) { $value = stripslashes( $value ); }
$value = mysql_real_escape_string( $value );
} else { // before PHP v4.3.0
// if magic quotes aren't already on then add slashes manually
if( !$magic_quotes_active ) { $value = addslashes( $value ); }
// if magic quotes are active, then the slashes already exist
}
return $value;
}

Then After
Change

$query = "insert into messages(text, facebook, twitter, custom, up, down, date) values('{$input}', '{$fb}', '{$twt}', '{$cust}', 0, 0, '{$time}');";

<?php
$input =mysql_prep($_POST['text']);
$fb =mysql_prep($_POST['facebook']);
$twt =mysql_prep($_POST['twitter']);
$cust =mysql_prep($_POST['custom']);
continue
?>

 &query ="INSERT INTO messages (
     text, facebook, twitter, custom, up, down, date
      )VALUES (
   '{$input}', '{$fb}', '{$twt}', '{$cust}', 0, 0, '{$time}')";
  $result= mysql_query($query);

I'm kinda in a hurry but am sure this should do the trick.

This code should had work if you took out the ; at the end and {

$query = "insert into messages(text, facebook, twitter, custom, up, down, date) values('{$input}', '{$fb}', '{$twt}', '{$cust}', 0, 0, '{$time}');";

}

Change it to this

$query = "insert into messages(text, facebook, twitter, custom, up, down, date) values('{$input}', '{$fb}', '{$twt}', '{$cust}', 0, 0, '{$time}')";

But wouldn't have escaped the strings
Ok happy programming