|
|
Posted by Jerry Stuckle on 08/08/07 19:55
dkruger wrote:
> On Aug 8, 12:41 pm, Michael Fesser <neti...@gmx.de> wrote:
>> .oO(dkruger)
>>
>>> Thanks for the tip, I have resolved the problem, but the reason
>>> mysql_real_escape_string() is not being used, is the query statement
>>> is generated prior to making a connection to the mysql server, and if
>>> I understand correctly mysql_real_escape_string has to be run after
>>> establishing a connection to mysql, which in my situation makes it not
>>> an option. Since not all of my code is shown previously, there would
>>> be no way you would have known that was why addslashes was being used
>>> instead.
>> addslashes() is _not_ an appropriate way to prevent SQL injection! If
>> you can't do proper escaping, then your code structure is ... at least
>> suboptimal (I don't want to call it broken, but it is somewhat). Is
>> there any particular reason why you can't open a DB connection first?
>> Usually that's done at the beginning of a script, if there's any DB
>> operation to be done.
>>
>> Of course even better would be to use PDO and prepared statements, but
>> even then you would have to open a connection first, before performing
>> any action. That's how it should be and how it works.
>>
>> Another question, just out of curiosity - in your second posting you
>> wrote:
>>
>>> Wait, i think I know what the problem is...I just realized it is
>>> running another query afterward to get the record for the previously
>>> submitted record, that seems to be the one causing the error.
>> May I ask how you get the previously inserted record in your second
>> query? Just want to be sure, because there's a right way and a wrong way
>> for doing that ...
>>
>> Micha
>
> I understand that addslashes is not an appropriate way to prevent the
> SQL injections for occuring, from the way it looks,
> mysql_real_escape_string really only seems to replace a few other
> characters in the passed string...I could be and probably am wrong
> with how it works and prevents the injections, but what happens in my
> code and with the code example above, is it executes a function that
> receives the query string, and database, that function then connects
> to mysql, runs the query, disconnects from mysql and returns any data
> in an array as a result. If I were going to add the additional
> character replacements that addslashes does not do and
> mysql_real_escape_string does, couldn't I just use str_replace to
> replace each in the function that receives the query?
>
> For getting the data submitted, I am sure is probably a wrong way of
> doing it, but it works. All that does, is returns the latest record
> id for the record matching the Requestor, subject, and Date_Request
> fields. That query was the one that was causing the error that I
> refer to and have corrected now.
>
mysql_real_escape_string() escapes characters based on the current
charset being used (which is why it needs the connection). That way if
you need to change your charset you don't need to change your code.
Simply make the connection sooner and do it the correct way.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|