...

View Full Version : Mysql_real_escape_string



cozzy1984
03-06-2008, 11:07 AM
Hi there, have done a good few pages for my website in php but have been looking into using mysql_real_escape_string to make it more secure and was just wondering where abouts do i add it.

Is it just simply a matter of adding it when i define my variables and is this enough?

For instance i had on a edit page the varaibles near the top like this:


if (isset($_POST['submit'])) {
$email = trim($_POST['email']);
$forename = trim($_POST['forename']);
$surname = trim($_POST['surname']);
$location = $_POST['location'];
$town = $_POST['town'];
$msn = $_POST['msn'];
$website = $_POST['website'];
$motto = $_POST['motto'];
$bio = $_POST['bio'];
$avatar = $_POST['avatar'];

and have now changed them into this:


if (isset($_POST['submit'])) {
$email = mysql_real_escape_string($_POST['email']);
$forename = mysql_real_escape_string($_POST['forename']);
$surname = mysql_real_escape_string($_POST['surname']);
$location = mysql_real_escape_string($_POST['location']);
$town = mysql_real_escape_string($_POST['town']);
$msn = mysql_real_escape_string($_POST['msn']);
$website = mysql_real_escape_string($_POST['website']);
$motto = mysql_real_escape_string($_POST['motto']);
$bio = mysql_real_escape_string($_POST['bio']);
$avatar = mysql_real_escape_string($_POST['avatar']);


Basically i am just wondering if this is the right way to make it more secure and if i need to be using the mysql_real_escape_string anywhere else, like in my update queries.

Thanks

Aaron

_Aerospace_Eng_
03-06-2008, 03:48 PM
That depends on where your update values are coming from. If they are user inputted then yes you need them there as well. However you may want to check and see if magic_quotes_gpc is on. This is usually on in most servers, it was taken out in php6. Basically this also escapes the data so essentially you are escaping the data twice if that is in.

cozzy1984
03-06-2008, 05:19 PM
cheers, i take it that disabling this will be done in the php.ini file?

_Aerospace_Eng_
03-06-2008, 05:23 PM
We need to see the rest of your code though you are probably better off making a new thread because you infact did go off topic. As to the magic_quotes thing if you are on an apache server you can use htaccess. I use

php_flag magic_quotes_gpc off
in an htaccess file. If your host allows it or if you are on your own server you can edit the php.ini file or you can try uploading a new one to the root of your site.

cozzy1984
03-06-2008, 05:28 PM
We need to see the rest of your code though you are probably better off making a new thread because you infact did go off topic. As to the magic_quotes thing if you are on an apache server you can use htaccess. I use

php_flag magic_quotes_gpc off
in an htaccess file. If your host allows it or if you are on your own server you can edit the php.ini file or you can try uploading a new one to the root of your site.

Cheers, never mind about the other question, was testing it on the wrong page - the idiot that i am. Was working all along. Will look into disabling the magic quotes.

How can you check if magic quotes is enabled in first place? Am using Wamp5 server and when i click on it and goto PHP->PHP Settings it gives a list of things some with ticks and some without. Is this saying they are enabled? If this is the case magic quotes gpc isn't ticked, nor is magic quotes runtime and magic quotes sybase

_Aerospace_Eng_
03-06-2008, 05:34 PM
Cheers, never mind about the other question, was testing it on the wrong page - the idiot that i am. Was working all along. Will look into disabling the magic quotes.
You may not have to disable them. Check to see if they are on first. Put this in a php file by itself and upload it, then navigate to it, paste what you see in the browser


<?php
echo 'magic_quotes_gpc = ' . get_magic_quotes_gpc() . '<br>';
echo 'register_globals = ' . ini_get('register_globals') . '<br>';
?>

cozzy1984
03-06-2008, 05:42 PM
You may not have to disable them. Check to see if they are on first. Put this in a php file by itself and upload it, then navigate to it, paste what you see in the browser


<?php
echo 'magic_quotes_gpc = ' . get_magic_quotes_gpc() . '<br>';
echo 'register_globals = ' . ini_get('register_globals') . '<br>';
?>

did that. it says:

magic_quotes_gpc = 0
register_globals =

I am only working on localserver for time being, and probably won't be uploading to web. But might if i can find a free web server that allows php.

_Aerospace_Eng_
03-06-2008, 05:43 PM
www.freehostia.com allows php and mysql. Okay good magic_quotes_gpc is already off. Run the same check on whatever host you use. If thats a 1 you need to disable them.

cozzy1984
03-06-2008, 05:45 PM
www.freehostia.com allows php and mysql. Okay good magic_quotes_gpc is already off. Run the same check on whatever host you use. If thats a 1 you need to disable them.

Cheers for your help mate. Really appreciate it

cozzy1984
03-06-2008, 10:24 PM
Got it set up online, and ran the tester file and it says:

magic_quotes_gpc = 1
register_globals = 1

so they are enabled on the online server. Is there a quick way of disabling them?

_Aerospace_Eng_
03-06-2008, 10:27 PM
I told you how already. Also look into ini_set and ini_get.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum