Solved

Need help using  mysql_real_escape_string. PHP, windows, MySql

Posted on 2009-07-12
9
327 Views
Last Modified: 2013-12-13
I have the following insert statement that is working fine. I want to make sure though that it's not subject to any sql injection. I've read that using  mysql_real_escape_string is the way to go.

Can anyone show me how to use it around this insert?

<?php foreach ($_POST["badge"] as $badge){ // each badge is one array itself
$sql = 'INSERT INTO attendeenames (customerID_cart,firstName,lastName,badgeName,email,membType) ';
$sql .= 'VALUES ("'.$_POST["customerID_cart"].'","'.$badge["firstName"].'","'.$badge["lastName"].'","'.$badge["badgeName"].'","'.$badge["email"].'","'.$_POST["membType"].'");';
mysql_query($sql);
}
0
Comment
Question by:MHenry
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 142

Accepted Solution

by:
Guy Hengel [angelIII / a3] earned 500 total points
ID: 24835758
simple: you apply it to each individual string value:
<?php foreach ($_POST["badge"] as $badge){ // each badge is one array itself
$sql = 'INSERT INTO attendeenames (customerID_cart,firstName,lastName,badgeName,email,membType) '; 
$sql .= 'VALUES ("'.mysql_real_escape_string ($_POST["customerID_cart"]).'","'.mysql_real_escape_string($badge["firstName"]).'","'.mysql_real_escape_string($badge["lastName"]).'","'.mysql_real_escape_string($badge["badgeName"]).'","'.mysql_real_escape_string($badge["email"]).'","'.mysql_real_escape_string($_POST["membType"]).'");';
mysql_query($sql);
}

Open in new window

0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 24836306
You might want to know the settings for "magic_quotes" and use stripslashes() on the POST fields if needed.  Then use mysql_real_escape_string().

See the PHP function here: http://us3.php.net/manual/en/function.get-magic-quotes-runtime.php
See also the security section here: http://us3.php.net/manual/en/security.magicquotes.php

Best regards, ~Ray
0
 
LVL 19

Expert Comment

by:NerdsOfTech
ID: 24847158
Use mysql_real_escape_string

as magic_quotes is deprecated.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 24849412
One strategy for dealing with this kind of input is to have a "cleanup" routine for the $_POST array.  You go through it once, perhaps via a function call, and make sure that you have processed each possible field into only "known good values" - this is where to add the escape strings.  Then you can refer to (for example) $clean_POST in your programming, knowing that everything in there has been scrubbed.  Just a thought. ~Ray
0
Easy Project Management (No User Manual Required)

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 7

Author Comment

by:MHenry
ID: 24874315
Just a quick clarifying question: Does mysql_real_escape_string work with all versions of MySql?

Thanks,
MH
0
 
LVL 142

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 24874378
yes, at least as what I know (mysql 3,4,5)
0
 
LVL 7

Author Closing Comment

by:MHenry
ID: 31602624
Great. Thanks!
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 24879697
For questions like this:

Does mysql_real_escape_string work with all versions of MySql?

It is often useful to refer to the online manual pages for PHP - some of the best online docs in existence, complete with excellent user-contributed notes.  For example,

http://us2.php.net/manual/en/function.mysql-real-escape-string.php

HTH, ~Ray
0
 
LVL 142

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 24879753
to clarify: mysql_real_escape_string (PHP 4 >= 4.3.0, PHP 5)
so, it's the php version that is important, and not the mysql version.
<phew>

0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now