mysql real escape string

[hgit]

I'm familiar with the use of mysql_real_escape_string but I am trying to reduce code here on the use of a form

as you know the escape string adds a backslash where necessary, but what happens when submitting a form more than once it continues to add back slashes.
for example - if there are two fields in a form that need to be completed and only one has been, the form should reload asking for all fields to be complete. If a back slash is inserted it will be presented in the textbox and if you do it numerous times the backslashes will mutiply.

As you can see in the following code i have posted the values twice to 2 different variables this does the job and i get the result i am looking for, but my code is a little overworked as i have to assign the values to two seperate variables and I am wanting to do this only once

PHP Code:

<?php

if (isset($_POST['submit'])){
    $test1 = $_POST['test1'];
    $test2 = $_POST['test2'];

    if($test1 && $test2){
        $tested1 = mysql_real_escape_value($test1);
        $tested2 = mysql_real_escape_value($test2);
        $sql=$database->query("INSERT INTO test (test1, test2) VALUES ('$tested1','$tested2')");
    }
}
?>

HTML Code:

<form action='test.php' method='post'>

	<input type='text' name='test1' value='<?php echo $test1; ?>' />
	<input type='text' name='test2' value='<?php echo $test2; ?>' />
	<input type='submit' name='submit' value='submit'>
	
</form>

[NogDog]

There's really no need for copying to different variables:

PHP Code:

if (!empty($_POST['test1']) && !empty($_POST['test2']))
{
   $query = sprintf(
      "INSERT INTO test (test1, test2) VALUES ('%s', '%s')",
      $_POST['test1'],
      $_POST['test2']
   );
   $sql = $database->query($query);
} 


PHP Code:

<form action='test.php' method='post'>
    <input type='text' name='test1' value='<?php echo htmlentities($_POST['test1']); ?>' />
    <input type='text' name='test2' value='<?php echo htmlentities($_POST['test2']); ?>' />
    <input type='submit' name='submit' value='submit'>
</form>

[Mindzai]

I don't see why you would need to re-assign to one set of variables never mind two. I never understand the desire to make copies of variables all over the place, it just introduces complexity for no reason.

PHP Code:

if (isset($_POST['submit'])){
    if($_POST['test1'] && $_POST['test2']) {
        $sql = $database->query(sprintf(
            "INSERT INTO test (test1, test2) VALUES ('%s', '%s')",
            mysql_real_escape_string($_POST['test1']),
            mysql_real_escape_string($_POST['test1']),
        ));
    }
} 


HTML Code:

<form action='test.php' method='post'>

	<input type='text' name='test1' value='<?php echo isset($_POST['test1']) ? htmlentities($_POST['test1']) : '' ?>' />
	<input type='text' name='test2' value='<?php echo isset($_POST['test2']) ? htmlentities($_POST['test2']) : '' ?>' />
	<input type='submit' name='submit' value='submit'>
	
</form>

[hgit]

Works well. Thank you!

[Hampster]

htmlentities may be a bit of overkill. I use stripslashes().

--Dave

[Mindzai]

htmlentities may be a bit of overkill. I use stripslashes().

--Dave

Stripslashes won't do anything to protect you against XSS attacks. If you don't use htmlentities an attacker can inject HTML into your page.