...

View Full Version : A few questions.



asmon
07-23-2007, 06:28 AM
- Why when i add slashes before i use a quary and then remove them, i still have slashes when i output the variable?
- Does any1 has a guide about checking what characters the user has typed so i could give an error if the user type quotes or slashes?

ty.

_Aerospace_Eng_
07-23-2007, 06:31 AM
I think the best option here would be to use mysql_real_escape_string() this way slashes and quotes are escaped before going into the database. No need to tell the user they can't type something. Besides thats just not user friendly. When you retrieve the data it should come back just fine, just as if the quotes and slashes were never escaped. This is how mysql works when you use the mysql_real_escape_string function. Its suggested that if magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice. Here is an example that checks to see if magic_quotes is enabled. If it is then it applies strip slashes to the data, then it use mysql_real_escape_string on the data.

function escape_data ($data) {
if (ini_get('magic_quotes_gpc')) {
$data = stripslashes($data);
}
return mysql_real_escape_string ($data);
}

asmon
07-23-2007, 06:58 AM
Then if i still see slashes, it means it has already been escaped before
i used add slashes?
why can't i just leave it if it has already been escaped
instead of using mysql_real_escape_string?

and about the charectors check, i also need it for forms where the user is suppost to type only numbers or things such as email.

one last thing about cookies. if i insert the username into a cookie
and then retrieve it back, it's still escaped? since it says
mysql_real_escape_string


thx again.

_Aerospace_Eng_
07-23-2007, 04:41 PM
See thats the thing you ONLY escape the data if its going into the database. You aren't going to store the cookie in the data base. Using mysql_real_escape_string is the secure way of storing data in a database to prevent mysql injection. http://us2.php.net/mysql_real_escape_string



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum