Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Need help using  mysql_real_escape_string. PHP, windows, MySql

Posted on 2009-07-12
9
Medium Priority
?
345 Views
Last Modified: 2013-12-13
I have the following insert statement that is working fine. I want to make sure though that it's not subject to any sql injection. I've read that using  mysql_real_escape_string is the way to go.

Can anyone show me how to use it around this insert?

<?php foreach ($_POST["badge"] as $badge){ // each badge is one array itself
$sql = 'INSERT INTO attendeenames (customerID_cart,firstName,lastName,badgeName,email,membType) ';
$sql .= 'VALUES ("'.$_POST["customerID_cart"].'","'.$badge["firstName"].'","'.$badge["lastName"].'","'.$badge["badgeName"].'","'.$badge["email"].'","'.$_POST["membType"].'");';
mysql_query($sql);
}
0
Comment
Question by:MHenry
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 143

Accepted Solution

by:
Guy Hengel [angelIII / a3] earned 2000 total points
ID: 24835758
simple: you apply it to each individual string value:
<?php foreach ($_POST["badge"] as $badge){ // each badge is one array itself
$sql = 'INSERT INTO attendeenames (customerID_cart,firstName,lastName,badgeName,email,membType) '; 
$sql .= 'VALUES ("'.mysql_real_escape_string ($_POST["customerID_cart"]).'","'.mysql_real_escape_string($badge["firstName"]).'","'.mysql_real_escape_string($badge["lastName"]).'","'.mysql_real_escape_string($badge["badgeName"]).'","'.mysql_real_escape_string($badge["email"]).'","'.mysql_real_escape_string($_POST["membType"]).'");';
mysql_query($sql);
}

Open in new window

0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 24836306
You might want to know the settings for "magic_quotes" and use stripslashes() on the POST fields if needed.  Then use mysql_real_escape_string().

See the PHP function here: http://us3.php.net/manual/en/function.get-magic-quotes-runtime.php
See also the security section here: http://us3.php.net/manual/en/security.magicquotes.php

Best regards, ~Ray
0
 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24847158
Use mysql_real_escape_string

as magic_quotes is deprecated.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 111

Expert Comment

by:Ray Paseur
ID: 24849412
One strategy for dealing with this kind of input is to have a "cleanup" routine for the $_POST array.  You go through it once, perhaps via a function call, and make sure that you have processed each possible field into only "known good values" - this is where to add the escape strings.  Then you can refer to (for example) $clean_POST in your programming, knowing that everything in there has been scrubbed.  Just a thought. ~Ray
0
 
LVL 7

Author Comment

by:MHenry
ID: 24874315
Just a quick clarifying question: Does mysql_real_escape_string work with all versions of MySql?

Thanks,
MH
0
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 24874378
yes, at least as what I know (mysql 3,4,5)
0
 
LVL 7

Author Closing Comment

by:MHenry
ID: 31602624
Great. Thanks!
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 24879697
For questions like this:

Does mysql_real_escape_string work with all versions of MySql?

It is often useful to refer to the online manual pages for PHP - some of the best online docs in existence, complete with excellent user-contributed notes.  For example,

http://us2.php.net/manual/en/function.mysql-real-escape-string.php

HTH, ~Ray
0
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 24879753
to clarify: mysql_real_escape_string (PHP 4 >= 4.3.0, PHP 5)
so, it's the php version that is important, and not the mysql version.
<phew>

0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question