Reply to escaping with mysql_real_escape_string()

Your name:

Reply:


Posted by MattMika on 02/23/07 22:51

In the pursuit of better coding practices and security understanding I
just disabled magic_quotes_gpc on our webserver(php-4.3.11,
mysql-4.1.11) and am implementing escaping on GPC data thats used in
queries or written to the DB.

When I execute an insert of $_POST["description"]; with the value
O'Reilly

- without mysql_real_escape_string() I get a SQL syntax error near the
single quote.

- with mysql_real_escape_string() the field is written as O'Reilly in
the db field.

I was under the impression that escaped strings would be written to
the DB like O/'Reilly, but its not.

The manual says:
"Returns the escaped string, or FALSE on error."

So mysql removes the escapes once it determines data to be escaped
properly? I assume for the purpose that you dont have to stripslashes
from queried data? Is this right?

Also, should I worry about escaping all data in GPC or only user input
$_POST and possibly modified $_GET data? For instance, should I escape
$_POST arrays populated by checkboxes? I assume it could be hacked for
injection purposes as well so should be checked.

TIA
Matt Mika
Matt Mika

"These animals evacuate ethyl alcohol from their bowels and carbon dioxide from their urinary organs. Thus, one can observe how a specially lighter fluid is exuded from the anus and rises vertically whereas a stream of carbon dioxide is ejected at very short intervals from enormously long genitales."

Justus Freiherr von Liebig - 1839

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация