View Full Version : mysql_real_escape_string

Jon W
01-05-2008, 11:32 PM
Hi, I've been trying to user a mysql_real_escape_string in one of my script in a if statement. I haven't used them much and not to sure how and when I should use these. I was trying to make a sample form for when a user submit info to the form it would go a mailing address. But when I uploaed the script it said that on line 10 there was a error. Like I said, I haven't used mysql_real_escape_string that much and not to sure how to use them. I know what they do, but not don't eactly if I'm suppose to do this:


//or like this..


Heres my full script of what I was trying to do:


$submit = $_POST['submit'];



if(mysql_real_escape_string($_POST['fname') !='' && mysql_real_escape_string($_POST['lname']) !='' && mysql_real_escape_string($_POST['email']) !='' && mysql_real_escape_string($_POST['email']) == mysql_real_escape_string($_POST['confrim_email']) && mysql_real_escape_string($_POST['msg']) !='')

$sendTo = 'email@yahoo.com';
$header = "From: ".mysql_real_escape_string($_POST['email'])."";
$subject = 'Query';
$message = "".mysql_real_escape_string($_POST['msg']."";

mail($sendTo, $header, $subject, $message);


So I was just wondering if I could get some help on how and when I should use these. Like I said, I understand what they do, but not to sure if I should use these when I'm submiting something to a E-mail address, or if its just for database submissions. So if someone could clear this up for me it would be great. Perhaps to give me a idea what I'm doing wrong in my script as well if I'm using the function right.

Jon W

01-06-2008, 07:03 AM
You have an error in your script you have:


should be

you missed a bracket after fname. What error are you getting? with this?

01-06-2008, 07:24 AM
should be

you missed a bracket after fname.

You meant:



Also, OP, the $message line should be:

$message = mysql_real_escape_string($_POST['msg']);
And your if condition should be:

if($_POST['fname'] !='' && $_POST['lname'] !='' && $_POST['email'] !='' && $_POST['email'] == $_POST['confrim_email'] && $_POST['msg'] !='')

You can use mysql_real_escape_string() on the values later on, but it's not needed there because the string will only get longer after passing through mysql_real_escape_string().

EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum