...

View Full Version : mysql_real_escape_string



Jon W
01-06-2008, 12:32 AM
Hi, I've been trying to user a mysql_real_escape_string in one of my script in a if statement. I haven't used them much and not to sure how and when I should use these. I was trying to make a sample form for when a user submit info to the form it would go a mailing address. But when I uploaed the script it said that on line 10 there was a error. Like I said, I haven't used mysql_real_escape_string that much and not to sure how to use them. I know what they do, but not don't eactly if I'm suppose to do this:


mysql_real_escape($_POST['fname']);

//or like this..

(mysql_real_escape_string($_POST['fname']));




Heres my full script of what I was trying to do:



<?php

$submit = $_POST['submit'];

if(isset($submit))

{


if(mysql_real_escape_string($_POST['fname') !='' && mysql_real_escape_string($_POST['lname']) !='' && mysql_real_escape_string($_POST['email']) !='' && mysql_real_escape_string($_POST['email']) == mysql_real_escape_string($_POST['confrim_email']) && mysql_real_escape_string($_POST['msg']) !='')

{
$sendTo = 'email@yahoo.com';
$header = "From: ".mysql_real_escape_string($_POST['email'])."";
$subject = 'Query';
$message = "".mysql_real_escape_string($_POST['msg']."";

mail($sendTo, $header, $subject, $message);

}
}
?>





So I was just wondering if I could get some help on how and when I should use these. Like I said, I understand what they do, but not to sure if I should use these when I'm submiting something to a E-mail address, or if its just for database submissions. So if someone could clear this up for me it would be great. Perhaps to give me a idea what I'm doing wrong in my script as well if I'm using the function right.


Thanks
Jon W

Jacobb123
01-06-2008, 08:03 AM
You have an error in your script you have:


if(mysql_real_escape_string($_POST['fname')

should be
if(mysql_real_escape_string($_POST['fname]')

you missed a bracket after fname. What error are you getting? with this?

Inigoesdr
01-06-2008, 08:24 AM
should be
if(mysql_real_escape_string($_POST['fname]')

you missed a bracket after fname.

You meant:

if(mysql_real_escape_string($_POST['fname'])

:D

Also, OP, the $message line should be:

$message = mysql_real_escape_string($_POST['msg']);
And your if condition should be:

if($_POST['fname'] !='' && $_POST['lname'] !='' && $_POST['email'] !='' && $_POST['email'] == $_POST['confrim_email'] && $_POST['msg'] !='')

You can use mysql_real_escape_string() on the values later on, but it's not needed there because the string will only get longer after passing through mysql_real_escape_string().



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum