Posted by zach on 08/05/07 05:35

zach wrote:
> Rik wrote:
>> On Sun, 05 Aug 2007 05:01:54 +0200, zach <wackzingo@gmail.com> wrote:
>>
>>> I created a comment form which will inserts the comments into a
>>> database and displays them immediately. I want to make sure that its
>>> safe from users inserting unwanted data into the database or
>>> executing queries.
>>>
>>> Here's my php code, is this done right? Is there anything else I
>>> should to to make it more secure?
>>>
>>>
>>>
>>> $handle = mysql_connect($host,$user,$password) or die ('Sorry, looks
>>> like an error occurred.');
>>>
>>> $sql = "INSERT INTO comments (id, comment, name, quotekey) VALUES
>>> (NULL, '$comment', '$name', '$key')";
>>>
>>> mysql_real_escape_string($sql);
>>
>> You've got the point backwards....
>>
>> $sql = "INSERT INTO comments (id, comment, name, quotekey) VALUES
>> (NULL, '";
>> $sql .= mysql_real_escape_string($comment);
>> $sql .= "', '";
>> $sql .= mysql_real_escape_string($name);
>> $sql .= "', '";
>> $sql .= mysql_real_escape_string($key);
>> $sql .= "')";
>>
>> Else, the 'delimiters' (the quotes) for your string will have been
>> escaped too.
>>
>> Where do $comment,$name & $key come from BTW? I hope you;re not
>> relying on register_globals.....
>>
>>> mysql_select_db($database);
>>>
>>> mysql_query($sql);
>>>
>>> mysql_close($handle);
>>
>> Is normally done automatically on the end of the request, but as long
>> as you;re finished with the database for the request a good thing to do.
>>
>> --Rik Wasmus
>
>
> Ok, something that confuses me is why does mysql_real_escape_string need
> a link or connection to the database if its simply escaping a string. I
> thought the whole point was to do the work before it ever goes to a
> database, so I wouldn't expect it to need a connection.


I forgot to mention, the comment, name and key variables come from a
form via the post method. And thanks again for the help. Do you have a
job or do you just sit around helping people all day? lol

[Back to original message]