www.webdeveloper.com
Results 1 to 6 of 6

Thread: mysql real escape string

  1. #1
    Join Date
    Jan 2010
    Posts
    23

    mysql real escape string

    I'm familiar with the use of mysql_real_escape_string but I am trying to reduce code here on the use of a form

    as you know the escape string adds a backslash where necessary, but what happens when submitting a form more than once it continues to add back slashes.
    for example - if there are two fields in a form that need to be completed and only one has been, the form should reload asking for all fields to be complete. If a back slash is inserted it will be presented in the textbox and if you do it numerous times the backslashes will mutiply.

    As you can see in the following code i have posted the values twice to 2 different variables this does the job and i get the result i am looking for, but my code is a little overworked as i have to assign the values to two seperate variables and I am wanting to do this only once

    PHP Code:
    <?php

    if (isset($_POST['submit'])){
        
    $test1 $_POST['test1'];
        
    $test2 $_POST['test2'];

        if(
    $test1 && $test2){
            
    $tested1 mysql_real_escape_value($test1);
            
    $tested2 mysql_real_escape_value($test2);
            
    $sql=$database->query("INSERT INTO test (test1, test2) VALUES ('$tested1','$tested2')");
        }
    }
    ?>
    HTML Code:
    <form action='test.php' method='post'>
    
    	<input type='text' name='test1' value='<?php echo $test1; ?>' />
    	<input type='text' name='test2' value='<?php echo $test2; ?>' />
    	<input type='submit' name='submit' value='submit'>
    	
    </form>

  2. #2
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,157
    There's really no need for copying to different variables:
    PHP Code:
    if (!empty($_POST['test1']) && !empty($_POST['test2']))
    {
       
    $query sprintf(
          
    "INSERT INTO test (test1, test2) VALUES ('%s', '%s')",
          
    $_POST['test1'],
          
    $_POST['test2']
       );
       
    $sql $database->query($query);

    PHP Code:
    <form action='test.php' method='post'>
        <input type='text' name='test1' value='<?php echo htmlentities($_POST['test1']); ?>' />
        <input type='text' name='test2' value='<?php echo htmlentities($_POST['test2']); ?>' />
        <input type='submit' name='submit' value='submit'>
    </form>
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  3. #3
    Join Date
    Nov 2008
    Posts
    2,477
    I don't see why you would need to re-assign to one set of variables never mind two. I never understand the desire to make copies of variables all over the place, it just introduces complexity for no reason.

    PHP Code:
    if (isset($_POST['submit'])){
        if(
    $_POST['test1'] && $_POST['test2']) {
            
    $sql $database->query(sprintf(
                
    "INSERT INTO test (test1, test2) VALUES ('%s', '%s')",
                
    mysql_real_escape_string($_POST['test1']),
                
    mysql_real_escape_string($_POST['test1']),
            ));
        }

    HTML Code:
    <form action='test.php' method='post'>
    
    	<input type='text' name='test1' value='<?php echo isset($_POST['test1']) ? htmlentities($_POST['test1']) : '' ?>' />
    	<input type='text' name='test2' value='<?php echo isset($_POST['test2']) ? htmlentities($_POST['test2']) : '' ?>' />
    	<input type='submit' name='submit' value='submit'>
    	
    </form>

  4. #4
    Join Date
    Jan 2010
    Posts
    23
    Works well. Thank you!

  5. #5
    Join Date
    Sep 2004
    Posts
    10
    htmlentities may be a bit of overkill. I use stripslashes().

    --Dave

  6. #6
    Join Date
    Nov 2008
    Posts
    2,477
    Quote Originally Posted by Hampster View Post
    htmlentities may be a bit of overkill. I use stripslashes().

    --Dave
    Stripslashes won't do anything to protect you against XSS attacks. If you don't use htmlentities an attacker can inject HTML into your page.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles