Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Need help using  mysql_real_escape_string. PHP, windows, MySql

Posted on 2009-07-12
9
Medium Priority
?
352 Views
Last Modified: 2013-12-13
I have the following insert statement that is working fine. I want to make sure though that it's not subject to any sql injection. I've read that using  mysql_real_escape_string is the way to go.

Can anyone show me how to use it around this insert?

<?php foreach ($_POST["badge"] as $badge){ // each badge is one array itself
$sql = 'INSERT INTO attendeenames (customerID_cart,firstName,lastName,badgeName,email,membType) ';
$sql .= 'VALUES ("'.$_POST["customerID_cart"].'","'.$badge["firstName"].'","'.$badge["lastName"].'","'.$badge["badgeName"].'","'.$badge["email"].'","'.$_POST["membType"].'");';
mysql_query($sql);
}
0
Comment
Question by:MHenry
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 143

Accepted Solution

by:
Guy Hengel [angelIII / a3] earned 2000 total points
ID: 24835758
simple: you apply it to each individual string value:
<?php foreach ($_POST["badge"] as $badge){ // each badge is one array itself
$sql = 'INSERT INTO attendeenames (customerID_cart,firstName,lastName,badgeName,email,membType) '; 
$sql .= 'VALUES ("'.mysql_real_escape_string ($_POST["customerID_cart"]).'","'.mysql_real_escape_string($badge["firstName"]).'","'.mysql_real_escape_string($badge["lastName"]).'","'.mysql_real_escape_string($badge["badgeName"]).'","'.mysql_real_escape_string($badge["email"]).'","'.mysql_real_escape_string($_POST["membType"]).'");';
mysql_query($sql);
}

Open in new window

0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 24836306
You might want to know the settings for "magic_quotes" and use stripslashes() on the POST fields if needed.  Then use mysql_real_escape_string().

See the PHP function here: http://us3.php.net/manual/en/function.get-magic-quotes-runtime.php
See also the security section here: http://us3.php.net/manual/en/security.magicquotes.php

Best regards, ~Ray
0
 
LVL 20

Expert Comment

by:NerdsOfTech
ID: 24847158
Use mysql_real_escape_string

as magic_quotes is deprecated.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 111

Expert Comment

by:Ray Paseur
ID: 24849412
One strategy for dealing with this kind of input is to have a "cleanup" routine for the $_POST array.  You go through it once, perhaps via a function call, and make sure that you have processed each possible field into only "known good values" - this is where to add the escape strings.  Then you can refer to (for example) $clean_POST in your programming, knowing that everything in there has been scrubbed.  Just a thought. ~Ray
0
 
LVL 7

Author Comment

by:MHenry
ID: 24874315
Just a quick clarifying question: Does mysql_real_escape_string work with all versions of MySql?

Thanks,
MH
0
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 24874378
yes, at least as what I know (mysql 3,4,5)
0
 
LVL 7

Author Closing Comment

by:MHenry
ID: 31602624
Great. Thanks!
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 24879697
For questions like this:

Does mysql_real_escape_string work with all versions of MySql?

It is often useful to refer to the online manual pages for PHP - some of the best online docs in existence, complete with excellent user-contributed notes.  For example,

http://us2.php.net/manual/en/function.mysql-real-escape-string.php

HTH, ~Ray
0
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 24879753
to clarify: mysql_real_escape_string (PHP 4 >= 4.3.0, PHP 5)
so, it's the php version that is important, and not the mysql version.
<phew>

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
This article discusses how to implement server side field validation and display customized error messages to the client.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question