I just moved to a new hosting company and now whenever a string gets escaped using: mysql_real_escape_string($str); the slashes remain in the database. This is the first time I've ever seen this happen so none of my scripts use stripslashes() anymore. This is on a CentOS 4.5 64bit running php 5.2.6 as fastcgi on a lighttpd 1.4 se...
Can you please give me advise? I searched for questions but did not found something similiar to mine. How do i make my user inputs automatically escaped when they are intended to use in SQL queries? I don't like in my code filled with something like $var_x = $DB->Escape($_POST['var_x']); $another_var = $DB->Escape($_POST['another_var']...
I have a BUNCH of $_POST variables being sent in via a long form and instead of hard coding each one with a mysql_escape_string() is it ok for me to do the following? I don't know if this is actually safe and/or viable code. foreach ($_POST as &$post_item){ $post_item = mysql_escape_string($post_item); } I'm fairly certain that be...
I'm escaping all the string parameters I receive from a php form like this: $usr_name = mysql_real_escape_string($_REQUEST['usr_name']); to avoid a few problems with SQL Injection. But when I my string back from the function, I end up with nothing. Also I keep getting this weird warning in my PHP log: PHP Warning: mysql_real_escap...
Hello, I am using FCKEditor with CakePHP and when I save data sent from the editor I want to run the htmlspecialchars() and mysql_real_escape_string() functions on the data to clean it before I store it in my database. The problem is I am not really sure where to do this within the CakePHP framework. I tried in the controller like thi...
Using PHP 5.2.6 in XAMPP : I read about sql injections here and tried that with the following login form : <html><body> <form method='post' action='login.php'> <input type='text' name='user'/> <input type='text' name='pass'/> <input type='submit'/> </form> </body></html> and php code : <?php $user = $_P...
I'd like to have a function behaving as mysql_real_escape_string without connecting to database as at times I need to do dry testing without DB connection. mysql_escape_string is deprecated and therefore is undesirable. Some of my findings: http://www.gamedev.net/community/forums/topic.asp?topic_id=448909 http://w3schools.invisionzone....
Hey everyone, I'm quite frustrated. I want to be able to insert into my database names with single quotes - for example, O'Connor. So, when inserting into the DB, I do: $lname = mysql_real_escape_string($_POST['lname']); And then I insert $lname into the DB. When it's in the DB, it appears as O\'Connor. So, if I were to recall th...
Hi all, I've been doing some reading on mysqli_real_escape_string(), and, after getting my content properly escaped, I'm having some trouble getting to display properly when I pull it out again. Here's the code I have: function update_section_content() { $name = mysqli_real_escape_string($this->conn, $_POST['name']); $text = m...
Say I want to insert into name, address, city, state, zip values $name, $address Etc..... How can I run mysql_real_escape_string on each of the variables before inserting. There has got to be a foreach or loop or while method instead of writing out each variable right? Thanks for the help. Tom so if I have $data = array($address...
I'm having issues escaping/stripping strings with PHP/MySQL - there always seems to be redundant slashes. Let's take the following string as an example: <span style="text-decoration:underline;">underline</span> When adding a string to the database, I'm escaping it with mysql_real_escape_string() and the following gets stored in th...
I've been told that I'd be better using PDO for MySQL escaping, rather than mysql_real_escape_string. Maybe I'm having a brain-dead day (or it may be the fact I'm by no stretch of the imagination a natural programmer, and I'm still very much at the newbie stage when it comes to PHP), but having checked out the PHP manual and read the en...
On a PHP file, I receives more than 20 variables coming from the client(submitted via a web form) and I have to apply mysql_real_escape_string() more than 20 times, it is quite troublesome, is there a better way to do this job? ...
In PHP, $_POST add slashes before a quotation mark automatically, so why bother applying mysql_real_escape_string()? For example, when I input 'rrr in an input field, and I get \'rrr when I echo it. ...
I'm building a class wrapper for the mysql c api, specifically at the moment for mysql_real_escape_string and I don't think I'm doing it quite right. this is what I have for the function: std::string Database::EscapeString(const char *pStr) { char *tStr = new char[strlen(pStr)*2+1]; mysql_real_escape_string(m_sqlCon, tStr, pStr...
Hi guys and girls, I am attempting to upload a .pdf file into a mysql database using php. It is all good except for the contents of the file. No matter how I seem try to escape special characters, the query always fails, mostly with "Unknown Command \n". I have used addslashes, mysql_real_escape_string, removeslashes etc. Does anyone...
Hi, Should I use the mysql_real_escape_string() function in my MySQL queries for $_SESSION variables? Theoretically, the $_SESSION variables can't be modified by the end-user unlike $_GET or $_POST variables right? Thanks :) ...
Could some tell me if there is a function which works the same as PHP's mysql_real_escape_string() for Perl from the DBI module? ...
I've been doing some reading on securing PHP applications, and it seems to me that mysqli_real_escape_string is the correct function to use when inserting data into MySQL tables because addslashes can cause some weird things to happen for a smart attacker. Right? However, there is one thing that is confusing me. I seem to remember being...
I have the following code: function dbPublish($status) { global $dbcon, $dbtable; if(isset($_GET['itemId'])) { $sqlQuery = 'UPDATE ' . $dbtable . ' SET active = ? WHERE id = ?'; $stmt = $dbcon->prepare($sqlQuery); $stmt->bind_param('ii', $status, $_GET['itemId']); $stmt->execute(); $stmt->close(); } } Do I need to mysql...