Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 11 of 11
  1. #1
    New Coder
    Join Date
    Feb 2008
    Posts
    33
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Mysql_real_escape_string

    Hi there, have done a good few pages for my website in php but have been looking into using mysql_real_escape_string to make it more secure and was just wondering where abouts do i add it.

    Is it just simply a matter of adding it when i define my variables and is this enough?

    For instance i had on a edit page the varaibles near the top like this:

    Code:
    if (isset($_POST['submit'])) {
    $email = trim($_POST['email']);
    $forename = trim($_POST['forename']);
    $surname = trim($_POST['surname']);
    $location = $_POST['location'];
    $town = $_POST['town'];
    $msn = $_POST['msn'];
    $website = $_POST['website'];
    $motto = $_POST['motto'];
    $bio = $_POST['bio'];
    $avatar = $_POST['avatar'];
    and have now changed them into this:

    Code:
    if (isset($_POST['submit'])) {
    $email = mysql_real_escape_string($_POST['email']);
    $forename = mysql_real_escape_string($_POST['forename']);
    $surname = mysql_real_escape_string($_POST['surname']);
    $location = mysql_real_escape_string($_POST['location']);
    $town = mysql_real_escape_string($_POST['town']);
    $msn = mysql_real_escape_string($_POST['msn']);
    $website = mysql_real_escape_string($_POST['website']);
    $motto = mysql_real_escape_string($_POST['motto']);
    $bio = mysql_real_escape_string($_POST['bio']);
    $avatar = mysql_real_escape_string($_POST['avatar']);
    Basically i am just wondering if this is the right way to make it more secure and if i need to be using the mysql_real_escape_string anywhere else, like in my update queries.

    Thanks

    Aaron

  • #2
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    That depends on where your update values are coming from. If they are user inputted then yes you need them there as well. However you may want to check and see if magic_quotes_gpc is on. This is usually on in most servers, it was taken out in php6. Basically this also escapes the data so essentially you are escaping the data twice if that is in.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #3
    New Coder
    Join Date
    Feb 2008
    Posts
    33
    Thanks
    2
    Thanked 0 Times in 0 Posts
    cheers, i take it that disabling this will be done in the php.ini file?

  • #4
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    We need to see the rest of your code though you are probably better off making a new thread because you infact did go off topic. As to the magic_quotes thing if you are on an apache server you can use htaccess. I use
    Code:
    php_flag magic_quotes_gpc off
    in an htaccess file. If your host allows it or if you are on your own server you can edit the php.ini file or you can try uploading a new one to the root of your site.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #5
    New Coder
    Join Date
    Feb 2008
    Posts
    33
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by _Aerospace_Eng_ View Post
    We need to see the rest of your code though you are probably better off making a new thread because you infact did go off topic. As to the magic_quotes thing if you are on an apache server you can use htaccess. I use
    Code:
    php_flag magic_quotes_gpc off
    in an htaccess file. If your host allows it or if you are on your own server you can edit the php.ini file or you can try uploading a new one to the root of your site.
    Cheers, never mind about the other question, was testing it on the wrong page - the idiot that i am. Was working all along. Will look into disabling the magic quotes.

    How can you check if magic quotes is enabled in first place? Am using Wamp5 server and when i click on it and goto PHP->PHP Settings it gives a list of things some with ticks and some without. Is this saying they are enabled? If this is the case magic quotes gpc isn't ticked, nor is magic quotes runtime and magic quotes sybase
    Last edited by cozzy1984; 03-06-2008 at 05:33 PM.

  • #6
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Quote Originally Posted by cozzy1984 View Post
    Cheers, never mind about the other question, was testing it on the wrong page - the idiot that i am. Was working all along. Will look into disabling the magic quotes.
    You may not have to disable them. Check to see if they are on first. Put this in a php file by itself and upload it, then navigate to it, paste what you see in the browser
    PHP Code:
    <?php
    echo 'magic_quotes_gpc = ' get_magic_quotes_gpc() . '<br>';
    echo 
    'register_globals = ' ini_get('register_globals') . '<br>';
    ?>
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #7
    New Coder
    Join Date
    Feb 2008
    Posts
    33
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by _Aerospace_Eng_ View Post
    You may not have to disable them. Check to see if they are on first. Put this in a php file by itself and upload it, then navigate to it, paste what you see in the browser
    PHP Code:
    <?php
    echo 'magic_quotes_gpc = ' get_magic_quotes_gpc() . '<br>';
    echo 
    'register_globals = ' ini_get('register_globals') . '<br>';
    ?>
    did that. it says:

    magic_quotes_gpc = 0
    register_globals =

    I am only working on localserver for time being, and probably won't be uploading to web. But might if i can find a free web server that allows php.

  • #8
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    www.freehostia.com allows php and mysql. Okay good magic_quotes_gpc is already off. Run the same check on whatever host you use. If thats a 1 you need to disable them.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #9
    New Coder
    Join Date
    Feb 2008
    Posts
    33
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by _Aerospace_Eng_ View Post
    www.freehostia.com allows php and mysql. Okay good magic_quotes_gpc is already off. Run the same check on whatever host you use. If thats a 1 you need to disable them.
    Cheers for your help mate. Really appreciate it

  • #10
    New Coder
    Join Date
    Feb 2008
    Posts
    33
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Got it set up online, and ran the tester file and it says:

    magic_quotes_gpc = 1
    register_globals = 1

    so they are enabled on the online server. Is there a quick way of disabling them?

  • #11
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    I told you how already. Also look into ini_set and ini_get.
    ||||If you are getting paid to do a job, don't ask for help on it!||||


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •