You are here: Re: Correct us of mysql_real_escape_string() « PHP Language « IT news, forums, messages
Re: Correct us of mysql_real_escape_string()

Posted by Gleep on 03/24/07 03:27

On Fri, 23 Mar 2007 20:09:57 GMT, "Simon Harris" <too-much-spam@makes-you-fat.com> wrote:

>Hi All,
>
>I am using mysql_real_escape_string() on strings before they are entered
>into mySQL. This has worked Ok, but when I get the information out,
>single/double quotes are preceeded with a \ (Escaped) so,
>"Something in quotes" becomes \"something in quotes\"
>
>Do I need to replace \" with " before I print the string to the page? Or am
>I missing something? Is there an opposite to mysql_real_escape_string() that
>I should call on the string when reading the data from mySQL? Or perhaps I
>have totally missed the point of this function? :)
>
>Any help/suggestions muchly appreciated!
>
>Simon.
>
>--



I wrote up this function to prevent sql injections
i didn't test it - but it should work

function cleanVar($str) {
if(is_numeric($str))
return $str;
else {
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
if(function_exists('mysql_real_escape_string'))
return mysql_real_escape_string($str);
elseif(function_exists('mysql_escape_string'))
return mysql_escape_string($str);
else
return addslashes($str);
} // end magic
} // end numeric
} // end function


// example usage
$query = "UPDATE users SET name=". cleanVar($name) .", id=". cleanVar($id) ." ";

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация