Posted by dkruger on 08/08/07 18:16
On Aug 8, 12:41 pm, Michael Fesser <neti...@gmx.de> wrote:
> .oO(dkruger)
> >Thanks for the tip, I have resolved the problem, but the reason
> >mysql_real_escape_string() is not being used, is the query statement
> >is generated prior to making a connection to the mysql server, and if
> >I understand correctly mysql_real_escape_string has to be run after
> >establishing a connection to mysql, which in my situation makes it not
> >an option. Since not all of my code is shown previously, there would
> >be no way you would have known that was why addslashes was being used
> >instead.
> addslashes() is _not_ an appropriate way to prevent SQL injection! If
> you can't do proper escaping, then your code structure is ... at least
> suboptimal (I don't want to call it broken, but it is somewhat). Is
> there any particular reason why you can't open a DB connection first?
> Usually that's done at the beginning of a script, if there's any DB
> operation to be done.
> Of course even better would be to use PDO and prepared statements, but
> even then you would have to open a connection first, before performing
> any action. That's how it should be and how it works.
> Another question, just out of curiosity - in your second posting you
> wrote:
> >Wait, i think I know what the problem is...I just realized it is
> >running another query afterward to get the record for the previously
> >submitted record, that seems to be the one causing the error.
> May I ask how you get the previously inserted record in your second
> query? Just want to be sure, because there's a right way and a wrong way
> for doing that ...
> Micha
I understand that addslashes is not an appropriate way to prevent the
SQL injections for occuring, from the way it looks,
mysql_real_escape_string really only seems to replace a few other
characters in the passed string...I could be and probably am wrong
with how it works and prevents the injections, but what happens in my
code and with the code example above, is it executes a function that
receives the query string, and database, that function then connects
to mysql, runs the query, disconnects from mysql and returns any data
in an array as a result. If I were going to add the additional
character replacements that addslashes does not do and
mysql_real_escape_string does, couldn't I just use str_replace to
replace each in the function that receives the query?
For getting the data submitted, I am sure is probably a wrong way of
doing it, but it works. All that does, is returns the latest record
id for the record matching the Requestor, subject, and Date_Request
fields. That query was the one that was causing the error that I
refer to and have corrected now.
[Back to original message]