Solved

Need help using  mysql_real_escape_string. PHP, windows, MySql

Posted on 2009-07-12
9
332 Views
Last Modified: 2013-12-13
I have the following insert statement that is working fine. I want to make sure though that it's not subject to any sql injection. I've read that using  mysql_real_escape_string is the way to go.

Can anyone show me how to use it around this insert?

<?php foreach ($_POST["badge"] as $badge){ // each badge is one array itself
$sql = 'INSERT INTO attendeenames (customerID_cart,firstName,lastName,badgeName,email,membType) ';
$sql .= 'VALUES ("'.$_POST["customerID_cart"].'","'.$badge["firstName"].'","'.$badge["lastName"].'","'.$badge["badgeName"].'","'.$badge["email"].'","'.$_POST["membType"].'");';
mysql_query($sql);
}
0
Comment
Question by:MHenry
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 142

Accepted Solution

by:
Guy Hengel [angelIII / a3] earned 500 total points
ID: 24835758
simple: you apply it to each individual string value:
<?php foreach ($_POST["badge"] as $badge){ // each badge is one array itself
$sql = 'INSERT INTO attendeenames (customerID_cart,firstName,lastName,badgeName,email,membType) '; 
$sql .= 'VALUES ("'.mysql_real_escape_string ($_POST["customerID_cart"]).'","'.mysql_real_escape_string($badge["firstName"]).'","'.mysql_real_escape_string($badge["lastName"]).'","'.mysql_real_escape_string($badge["badgeName"]).'","'.mysql_real_escape_string($badge["email"]).'","'.mysql_real_escape_string($_POST["membType"]).'");';
mysql_query($sql);
}

Open in new window

0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 24836306
You might want to know the settings for "magic_quotes" and use stripslashes() on the POST fields if needed.  Then use mysql_real_escape_string().

See the PHP function here: http://us3.php.net/manual/en/function.get-magic-quotes-runtime.php
See also the security section here: http://us3.php.net/manual/en/security.magicquotes.php

Best regards, ~Ray
0
 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24847158
Use mysql_real_escape_string

as magic_quotes is deprecated.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 109

Expert Comment

by:Ray Paseur
ID: 24849412
One strategy for dealing with this kind of input is to have a "cleanup" routine for the $_POST array.  You go through it once, perhaps via a function call, and make sure that you have processed each possible field into only "known good values" - this is where to add the escape strings.  Then you can refer to (for example) $clean_POST in your programming, knowing that everything in there has been scrubbed.  Just a thought. ~Ray
0
 
LVL 7

Author Comment

by:MHenry
ID: 24874315
Just a quick clarifying question: Does mysql_real_escape_string work with all versions of MySql?

Thanks,
MH
0
 
LVL 142

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 24874378
yes, at least as what I know (mysql 3,4,5)
0
 
LVL 7

Author Closing Comment

by:MHenry
ID: 31602624
Great. Thanks!
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 24879697
For questions like this:

Does mysql_real_escape_string work with all versions of MySql?

It is often useful to refer to the online manual pages for PHP - some of the best online docs in existence, complete with excellent user-contributed notes.  For example,

http://us2.php.net/manual/en/function.mysql-real-escape-string.php

HTH, ~Ray
0
 
LVL 142

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 24879753
to clarify: mysql_real_escape_string (PHP 4 >= 4.3.0, PHP 5)
so, it's the php version that is important, and not the mysql version.
<phew>

0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question