CSS Codes
CSS Layouts
Results 1 to 2 of 2

Thread: mysqli_real_escape_string()

  1. 05-13-2010, 03:17 PM #1
    crobinson42
    crobinson42 is offline Junior Coders
    Join Date
    May 2010
    Location
    Sacramento, CA
    Posts
    91
    Thanks
    23
    Thanked 2 Times in 2 Posts

    Default mysqli_real_escape_string()

    I have several forms on my page where user's put their input. Now i'm not to sure but i think there has to be an easier/shorter code to clean up the input
    here's what i've got:

    Code:
    <?php
function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
  {
  $value = stripslashes($value);
  }
// Quote if not a number
if (!is_numeric($value))
  {
  $value = "'" . mysql_real_escape_string($value) . "'";
  }
return $value;
}

$con = mysql_connect("localhost", "peter", "abc123");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

// Make a safe SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = "SELECT * FROM users WHERE
user=$user AND password=$pwd";

mysql_query($sql);

mysql_close($con);
?>
    Just curious if anyone might know of an easier way to accomplish this..

    Thanks!
    Reply With Quote Reply With Quote
  2. 05-13-2010, 05:21 PM #2
    djr33's Avatar
    djr33
    djr33 is offline Global Moderator
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    Why do you want an easier way to accomplish this?
    You could of course remove the check to see if it's a number and thus convert all numeric input to strings (so instead of 0 you get '0', which isn't a big difference because most conversions will be handled as needed though it might in some cases get messy).
    But beyond that, you need what you have.


    strip_slashes is only needed if you have magic quotes enabled. If you do not, you can remove that part and not worry about it again. But if this might ever go on a server where it is enabled then you need to leave that or you'll end up with weird results. If you can otherwise disable magic quotes (always a good idea to disable it) you could avoid this as well.

    So if:
    1. you don't mind converting numbers to strings [equivalent, but not the same type]
    and
    2. you don't have magic quotes enabled...

    You can just use this
    $x = mysql_real_escape_string($_POST['x']);

    That's it. Of course if 1 or 2 applies above, it can't be that simple.


    And really that code isn't very complex, considering what it's doing.



    By the way, in your title you said "mysqli_real_escape_string()". That is a different function though it does the same thing: mysqli is a newer set of functions for the same stuff that's a little more secure and a little less backward compatible. For the differences try php.net or google. But I'm just noting that you're talking about two different things-- in the code you posted, though, it's all consistent and should work. But remember that you can't mix mysql_ and mysqli_ functions because they aren't compatible.

    Also, note that mysql_real_escape_string() is based NOT on a default setup but on the current database connection. It won't work (at least not well) without an active connection. In other words, it must be used only after mysql_connect() (and maybe mysql_select_db())...
    Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules