...

View Full Version : Do I have to have \' in my database with mysql_real_escape_string() ?



JohnDubya
02-23-2007, 07:09 AM
Ok, so to prevent SQL injection, I've been trying to integrate mysql_real_escape_string() into my queries. Here's my code:


$query = sprintf("INSERT INTO user_receipts SET user_id = '$user_id', subcat_id = '%s', description = '%s', amount = '%f', date_of_receipt = '%s', created_at = NOW(), updated_at = NOW()",
mysql_real_escape_string($subcategorySelect),
mysql_real_escape_string($_POST['description']),
mysql_real_escape_string($NewAmount),
mysql_real_escape_string($date) );

$a = mysql_query($query);

I found this sprintf() code somewhere and used it. It works great, but if the description has an apostrophe, the mysql_real_escape_string() puts a \ before it and sends it to the database. Then, every time I echo the description, it also echoes the \.

My question is...is there a way to not send the \ to the database, or does it need to go? Should I just use stripslashes() every time I have to echo that field? Thanks.

chump2877
02-23-2007, 08:15 AM
My question is...is there a way to not send the \ to the database, or does it need to go? Should I just use stripslashes() every time I have to echo that field? Thanks.

Yes, use stripslashes to read your database data...the easiest thing for you to do (if you have A LOT of database queries) is create or use some kind of MySQL abstraction class that automatically escapes data before it is inserted into your database and unescapes your data for presentation purposes. Then you don;t have to bother with adding mysql_real_escape_string and stripslashes to everything...

http://www.google.com/search?q=php+mysql+abstraction+class&ie=utf-8&oe=utf-8&rls=org.mozilla:en-US:official&client=firefox-a
http://www.phpclasses.org/browse/package/2329.html
http://www.codingforums.com/showthread.php?t=83739&highlight=php+mysql+abstraction+class

printf
02-23-2007, 02:13 PM
I would just create a drop in strip function, then call it if magic_quotes is on and use it on the SUPER GLOBAL you are using in your script, then turn magic_quotes off.

the function...

// strip global


function strip_global ( &$item )
{
if ( is_array ( $item ) )
{
foreach ( $item AS $k => $v )
{
if ( is_string ( $v ) )
{
$item[$k] = stripslashes ( $v );
}
else if ( is_array ( $v ) )
{
$item[$k] = strip_global ( $v );
}
}
}

return $item;
}


Then test if it's needed to be used...


if ( get_magic_quotes_gpc () )
{
// script is expecting $_POST, so strip the SUPER GLOBAL $_POST

$_POST = strip_global ( $_POST);

// now turn magic quotes off
set_magic_quotes_runtime ( 0 );
}

// now $_POST is ready to use with slashes removed


That will work fine on $_GET, $_POST, $_COOKIE, if you are using the $_FILES SUPER GLOBAL, you will need to walk through the array adding \\ to tmp_name before you run it through strip_global();, example for handling the $_FILES array


if ( is_array ( $_FILES ) && ! empty ( $_FILES ) )
{
foreach ( $_FILES AS $k => $v )
{
$_FILES[$k]['tmp_name'] = str_replace ( '\\', '\\\\', $v['tmp_name'] );
}
$_FILES = strip_global ( $_FILES );
}

Nightfire
02-23-2007, 03:02 PM
To add to the magic quotes bit above, here's what I use


if(!get_magic_quotes_gpc()){
$_GET = array_map('mysql_real_escape_string', $_GET);
$_POST = array_map('mysql_real_escape_string', $_POST);
$_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}

printf
02-23-2007, 03:30 PM
To add to the magic quotes bit above, here's what I use


if(!get_magic_quotes_gpc()){
$_GET = array_map('mysql_real_escape_string', $_GET);
$_POST = array_map('mysql_real_escape_string', $_POST);
$_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}


But that will not work on associate arrays, you need to loop so you treat each key => value based on what it is!


<?

// maybe a checkbox array <input type='checkbox' name='array[array_key_1]' value='array_value_1' />

$_POST = array ( 'item' => 'item_value', 'array' => array ( 'array_key_1' => 'array_value_1' ) );

// will give a warning (mysql_real_escape_string() expects parameter 1 to be string, array given)

$_POST = array_map('mysql_real_escape_string', $_POST);


?>



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum