Posted by shimmyshack on 03/24/07 06:20

On 24 Mar, 03:27, Gleep <G...@Gleep.com> wrote:
> On Fri, 23 Mar 2007 20:09:57 GMT, "Simon Harris" <too-much-s...@makes-you-fat.com> wrote:
> >Hi All,
>
> >I am using mysql_real_escape_string() on strings before they are entered
> >into mySQL. This has worked Ok, but when I get the information out,
> >single/double quotes are preceeded with a \ (Escaped) so,
> >"Something in quotes" becomes \"something in quotes\"
>
> >Do I need to replace \" with " before I print the string to the page? Or am
> >I missing something? Is there an opposite to mysql_real_escape_string() that
> >I should call on the string when reading the data from mySQL? Or perhaps I
> >have totally missed the point of this function? :)
>
> >Any help/suggestions muchly appreciated!
>
> >Simon.
>
> >--
>
> I wrote up this function to prevent sql injections
> i didn't test it - but it should work
>
> function cleanVar($str) {
> if(is_numeric($str))
> return $str;
> else {
> if(get_magic_quotes_gpc()) {
> $str = stripslashes($str);
> if(function_exists('mysql_real_escape_string'))
> return mysql_real_escape_string($str);
> elseif(function_exists('mysql_escape_string'))
> return mysql_escape_string($str);
> else
> return addslashes($str);
> } // end magic
> } // end numeric
>
> } // end function
>
> // example usage
> $query = "UPDATE users SET name=". cleanVar($name) .", id=". cleanVar($id) ." ";

huh - you have to be kidding!!??
no this would _not_ work, sorry
it's not a game where you can "do it yourself" with a quick fix of
strip/addslashes mixed with is_numeric and a call or so to magic doo-
dah.
There are brilliant, creative coders who are on the other end, your
function is like making your front door entirely out of a letter box
marked - bet you can't post stuff through here!

[Back to original message]