Posted by zach on 08/05/07 05:16

Rik wrote:
> On Sun, 05 Aug 2007 05:01:54 +0200, zach <wackzingo@gmail.com> wrote:
>
>> I created a comment form which will inserts the comments into a
>> database and displays them immediately. I want to make sure that its
>> safe from users inserting unwanted data into the database or executing
>> queries.
>>
>> Here's my php code, is this done right? Is there anything else I
>> should to to make it more secure?
>>
>>
>>
>> $handle = mysql_connect($host,$user,$password) or die ('Sorry, looks
>> like an error occurred.');
>>
>> $sql = "INSERT INTO comments (id, comment, name, quotekey) VALUES
>> (NULL, '$comment', '$name', '$key')";
>>
>> mysql_real_escape_string($sql);
>
> You've got the point backwards....
>
> $sql = "INSERT INTO comments (id, comment, name, quotekey) VALUES
> (NULL, '";
> $sql .= mysql_real_escape_string($comment);
> $sql .= "', '";
> $sql .= mysql_real_escape_string($name);
> $sql .= "', '";
> $sql .= mysql_real_escape_string($key);
> $sql .= "')";
>
> Else, the 'delimiters' (the quotes) for your string will have been
> escaped too.
>
> Where do $comment,$name & $key come from BTW? I hope you;re not relying
> on register_globals.....
>
>> mysql_select_db($database);
>>
>> mysql_query($sql);
>>
>> mysql_close($handle);
>
> Is normally done automatically on the end of the request, but as long as
> you;re finished with the database for the request a good thing to do.
>
> --Rik Wasmus


Ok, something that confuses me is why does mysql_real_escape_string need
a link or connection to the database if its simply escaping a string. I
thought the whole point was to do the work before it ever goes to a
database, so I wouldn't expect it to need a connection.

[Back to original message]