whe would I need to use real_escape_string() function in mysqli class

whe  would I need to use real_escape_string()  function in mysqli class I read the
explantion in http://php.net/manual/en/function.stripslashes.php

but im not sure I understand what it does and when to use it
Nura111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Marco GasiFreelancerCommented:
A note: your link is to striplslahes not to real_escape_string() function: a typo?

real_escape_string() function places a backslash before some dangerous characters such as NUL (ASCII 0), \n, \r, \, ', ", and Control-Z. (http://it.php.net/manual/en/mysqli.real-escape-string.php) This is useful every time you have to insert values into a database preventing to insert bad data. As php manual says, you have to use this function every time you send a query to mysql.
Ray PaseurCommented:
Use it on everything that is not an internally generated integer.  It will cause no harm and may save your bacon some day!
Nura111Author Commented:
is ti also a security issue if not using it?
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Ray PaseurCommented:
Yes, it can prevent a foreign agent from injecting information into your queries.  Look up SQL injection on this and other sites
http://en.wikipedia.org/wiki/SQL_injection
Cornelia YoderArtistCommented:
SQL Injection hacking uses certain characters to get access to your database structure and from that to your data.  mysql_real_escape_string() safeties those characters so they cannot be used in a query for hacking purposes.

ALL inputs, and I mean ALL, even hidden inputs, need to be safetied against hacking if they are ever used in any way in any query.

Most inputs should be checked directly ... if it is supposed to be a number, check that it is a number, if it is supposed to be one of three values, check that it is one of those three values, and etc.

Text input is the big problem, since it can be made to contain those special characters, and is not easily checked with a whitelist or value type, so you need to use a safety mechanism such as mysql_real_escape_string() to guard it.

EVERY input must be checked, remember that and you won't be coming back here next month asking how to recover from hacking :):)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Nura111Author Commented:
Is it the same issue as not using htmlspecialchars() on a input from a user?
Is there a need to use both?
Nura111Author Commented:
another thing : so you mean to use:  mysql_real_escape_string()
on the input before its been used to insert to the db or other right?


so what is the issue when using {$row['id']} in an html form e.g
<td>{$row['id']}</td>
        <td>{$row['timestamp']}</td>
        <td>{$row['email_address']}</td>
        <td>{$fromAddress}</td>
 without htmlspecialchars() before I been told its a secruity issue as well I don't understand why
Cornelia YoderArtistCommented:
You do not need to use both.  I personally prefer and use htmlspecialchars() on all text input.

The difference is that mysql_real_escape_string just safeties the SQL injection hacking, but not certain other kinds of things.   htmlspecialchars changes ALL special characters into their html &#xxx code equivalents.

The only drawback to using htmlspecialchars is that it takes a few more bytes in your database ... each special character takes 5 bytes instead of 1 ... so if you have a LOT of text with special characters stored, that might be a problem.

The advantage of using htmlspecialchars is that it safeties more things, for example not letting some evil javascript into your database that might be exploited later.
Ray PaseurCommented:
If you accept and store any external textual input, you need to filter it.  If, for example, you're expecting an English-language name you can expect that it will contain alphabetic characters, the space, apostrophe, hyphen, comma, and the period.  Example:

Leonard O'Pinth-Garnell, Jr.

A regular expression that would remove all the other stuff would look something like this (the caret inside the character class implies negation):

/[^ A-Z-,.]/i

So each time you received a name from an external source, you would apply the regular expression and you would thereby accept only known good values for your name field.

If you have unfiltered or marginally filtered data in your data base, you need to escape it before you send it to the browser output stream.  Otherwise you risk becoming an attack vector against your clients.  Example:

echo '<td>';
echo htmlentities($row["usertext"]);
echo '</td>';

I prefer to escape the data on the outbound side of things, rather than escaping the data before storing it.  If you escape before you put the data into the data base, you may have munged the data, and in any case, you have not stored the data that was sent to you, you have stored something that is a derivative work.  Search algorithms may not work correctly on the escaped data.  The origin of the term is uncertain, but a mung operation makes changes to the data in a way that may be irrevocable and that loses some of the original information.

Required reading:
http://php.net/manual/en/security.php

Old, but still valuable:
http://phpsec.org/projects/guide/

Now having said that, you need to be aware that the whole field of security is growing rapidly.  The US Government has just put a crack team of 115 engineers to work at the National Security Agency for the purpose of studying the field.  The University of Maryland offers a full-time, four-year college major in IT Security.  So you must not assume that you can follow a few "best practices" and things will work out OK.  You need to be learning about the new threats all the time and reviewing your code to see if there are new threats that might cause you to need to refactor your old code.  It's never going to end, so you might as well join the rest of us who do our best to keep up to date on the threats that are around us.

Best regards, ~Ray
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
JavaScript

From novice to tech pro — start learning today.