Need help using mysql_real_escape_string. PHP, windows, MySql

I have the following insert statement that is working fine. I want to make sure though that it's not subject to any sql injection. I've read that using  mysql_real_escape_string is the way to go.

Can anyone show me how to use it around this insert?

<?php foreach ($_POST["badge"] as $badge){ // each badge is one array itself
$sql = 'INSERT INTO attendeenames (customerID_cart,firstName,lastName,badgeName,email,membType) ';
$sql .= 'VALUES ("'.$_POST["customerID_cart"].'","'.$badge["firstName"].'","'.$badge["lastName"].'","'.$badge["badgeName"].'","'.$badge["email"].'","'.$_POST["membType"].'");';
mysql_query($sql);
}
LVL 7
MHenryAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Guy Hengel [angelIII / a3]Billing EngineerCommented:
simple: you apply it to each individual string value:
<?php foreach ($_POST["badge"] as $badge){ // each badge is one array itself
$sql = 'INSERT INTO attendeenames (customerID_cart,firstName,lastName,badgeName,email,membType) '; 
$sql .= 'VALUES ("'.mysql_real_escape_string ($_POST["customerID_cart"]).'","'.mysql_real_escape_string($badge["firstName"]).'","'.mysql_real_escape_string($badge["lastName"]).'","'.mysql_real_escape_string($badge["badgeName"]).'","'.mysql_real_escape_string($badge["email"]).'","'.mysql_real_escape_string($_POST["membType"]).'");';
mysql_query($sql);
}

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ray PaseurCommented:
You might want to know the settings for "magic_quotes" and use stripslashes() on the POST fields if needed.  Then use mysql_real_escape_string().

See the PHP function here: http://us3.php.net/manual/en/function.get-magic-quotes-runtime.php
See also the security section here: http://us3.php.net/manual/en/security.magicquotes.php

Best regards, ~Ray
0
NerdsOfTechTechnology ScientistCommented:
Use mysql_real_escape_string

as magic_quotes is deprecated.
0
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Ray PaseurCommented:
One strategy for dealing with this kind of input is to have a "cleanup" routine for the $_POST array.  You go through it once, perhaps via a function call, and make sure that you have processed each possible field into only "known good values" - this is where to add the escape strings.  Then you can refer to (for example) $clean_POST in your programming, knowing that everything in there has been scrubbed.  Just a thought. ~Ray
0
MHenryAuthor Commented:
Just a quick clarifying question: Does mysql_real_escape_string work with all versions of MySql?

Thanks,
MH
0
Guy Hengel [angelIII / a3]Billing EngineerCommented:
yes, at least as what I know (mysql 3,4,5)
0
MHenryAuthor Commented:
Great. Thanks!
0
Ray PaseurCommented:
For questions like this:

Does mysql_real_escape_string work with all versions of MySql?

It is often useful to refer to the online manual pages for PHP - some of the best online docs in existence, complete with excellent user-contributed notes.  For example,

http://us2.php.net/manual/en/function.mysql-real-escape-string.php

HTH, ~Ray
0
Guy Hengel [angelIII / a3]Billing EngineerCommented:
to clarify: mysql_real_escape_string (PHP 4 >= 4.3.0, PHP 5)
so, it's the php version that is important, and not the mysql version.
<phew>

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.