Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New Coder
    Join Date
    Aug 2002
    Posts
    86
    Thanks
    2
    Thanked 1 Time in 1 Post

    mysql_real_escape not working

    Hi

    I have the following function and have added the mysql_real_escape to try and stop sql injection but it nots working.
    If I enter some ' ' into the form field and then look into my database. The ' ' are still there with no backslashes.

    Anyone see the problem ?

    PHP Code:
    function insertintodatabase() {

    // Connect to server and select database.
    mysql_connect("$host""$username""$password")or die("cannot connect");
    mysql_select_db("$db_name")or die("cannot select DB");

    // Get values from form
    $department=$_POST['department'];
    $name=$_POST['yourname'];
    $email=$_POST['emailaddress'];
    $phone=$_POST['phonenumber'];
    $comments=mysql_real_escape_string($_POST['enquiry']);
    $optin=$_POST['salesoptin'];

    // Insert data into mysql
    $sql="INSERT INTO $tbl_name(Department, Full_Name, Email_Address, Phone_Number, Comments, Email_Optin)VALUES('$department', '$name', '$email', '$phone', '$comments', '$optin')";
    $result=mysql_query($sql);

    // close connection
    mysql_close();


  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Quote Originally Posted by waps2 View Post
    ...If I enter some ' ' into the form field and then look into my database. The ' ' are still there with no backslashes.
    This indicates you have done this correctly. Backslashes should not appear in the database, their job is to prevent the actual query from becoming escaped.
    You should actually detect the existence of magic_quotes and deal with them if necessary:
    PHP Code:
    if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
    {
        
    $_POST['enquiry'] = stripslashes($_POST['enquiry']);
    }

    $comments=mysql_real_escape_string($_POST['enquiry']); 
    Best to write as a function or use a direct map to the entire $GLOBALS to deal with them.
    Don't forget that you have to escape any string going into your database. According to this, every field inserted is a string.

  • #3
    New Coder
    Join Date
    Aug 2002
    Posts
    86
    Thanks
    2
    Thanked 1 Time in 1 Post
    Oh god now I feel a little dumb lol

    Do you mean it would be better to use the mysql_real_escape on all the $_post values ?

    Thanks Fou-Lu

  • #4
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,627
    Thanks
    0
    Thanked 646 Times in 636 Posts
    The better solution would be to use mysqli_ or PDO with prepare and bind statements so as to keep the query and the data in separate statements and so eliminate the possibility of sql injection completely.

    If you decide to keep the query and data jumbled together then you need to escape any data that is allowed to contain characters that can be confused with the query itself. All data that isn't allowed to contain such values should have failed validation if an sql injection attempt via those fields was attempted. Validation should block all injection attempts other than with fields where that input would actually be valid long before attempting to access the database.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #5
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Quote Originally Posted by waps2 View Post
    Oh god now I feel a little dumb lol

    Do you mean it would be better to use the mysql_real_escape on all the $_post values ?

    Thanks Fou-Lu
    No, I mean that stripslashes should be applied if the magic_quotes_gpc environment is running.

    Quote Originally Posted by felgall View Post
    The better solution would be to use mysqli_ or PDO with prepare and bind statements so as to keep the query and the data in separate statements and so eliminate the possibility of sql injection completely.

    If you decide to keep the query and data jumbled together then you need to escape any data that is allowed to contain characters that can be confused with the query itself. All data that isn't allowed to contain such values should have failed validation if an sql injection attempt via those fields was attempted. Validation should block all injection attempts other than with fields where that input would actually be valid long before attempting to access the database.
    I fully agree with this. If MySQLi or PDO is an option available for you, I would also use prepared statements. Stipslashes from gpc would still apply of course, but no escaping needs to be done beyond this.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •