Log in

View Full Version : mysqli_real_escape_string()


crobinson42
05-13-2010, 03:17 PM
I have several forms on my page where user's put their input. Now i'm not to sure but i think there has to be an easier/shorter code to clean up the input
here's what i've got:


<?php
function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
if (!is_numeric($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}

$con = mysql_connect("localhost", "peter", "abc123");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

// Make a safe SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = "SELECT * FROM users WHERE
user=$user AND password=$pwd";

mysql_query($sql);

mysql_close($con);
?>

Just curious if anyone might know of an easier way to accomplish this..

Thanks!
djr33
05-13-2010, 05:21 PM
Why do you want an easier way to accomplish this?
You could of course remove the check to see if it's a number and thus convert all numeric input to strings (so instead of 0 you get '0', which isn't a big difference because most conversions will be handled as needed though it might in some cases get messy).
But beyond that, you need what you have.


strip_slashes is only needed if you have magic quotes enabled. If you do not, you can remove that part and not worry about it again. But if this might ever go on a server where it is enabled then you need to leave that or you'll end up with weird results. If you can otherwise disable magic quotes (always a good idea to disable it) you could avoid this as well.

So if:
1. you don't mind converting numbers to strings [equivalent, but not the same type]
and
2. you don't have magic quotes enabled...

You can just use this
$x = mysql_real_escape_string($_POST['x']);

That's it. Of course if 1 or 2 applies above, it can't be that simple.


And really that code isn't very complex, considering what it's doing.



By the way, in your title you said "mysqli_real_escape_string()". That is a different function though it does the same thing: mysqli is a newer set of functions for the same stuff that's a little more secure and a little less backward compatible. For the differences try php.net or google. But I'm just noting that you're talking about two different things-- in the code you posted, though, it's all consistent and should work. But remember that you can't mix mysql_ and mysqli_ functions because they aren't compatible.

Also, note that mysql_real_escape_string() is based NOT on a default setup but on the current database connection. It won't work (at least not well) without an active connection. In other words, it must be used only after mysql_connect() (and maybe mysql_select_db())...