Results 1 to 5 of 5

Thread: mysql_real_escape_string and strip_tags

  1. #1
    Join Date
    Dec 2006

    mysql_real_escape_string and strip_tags

    I have a few questions if its ok i been updating my site with mysql_real_escape_string and strip_tags the questions are below in the code thanks...

    questions and code:
    PHP Code:
    question 1
    Should this code?:
    <?php echo $rows['message']; ?>

    Be like this?:
    <?php echo mysql_real_escape_string(strip_tags($rows['message'])); ?>

    question 2
    For this code do i need to use the mysql_real_escape_string and strip_tags if so how?:

    $sql="SELECT sendto, from, created, status FROM list where status = '1'";

    question 3
    For the password fields should i also use the mysql_real_escape_string and strip_tags like this?:

    $password = mysql_real_escape_string(strip_tags($_POST['password']));

  2. #2
    Join Date
    May 2012
    Not really.

    mysql_real_escape_string will essentially add the escape character (\) to quotes (amongst a few others) in a string:

    PHP Code:
    $string "this 'is a test'";

    // this \'is a test \' 
    Strip tags will remove < and >s from the string - basically, html tags.
    PHP Code:
    $test '<p>this is a test</p>';

    // this is a test 
    You want to use mysql_real_escape_string on data to prep it for insert in the database. Then probably stripslashes() before echoing it to the browser.

    magic_quotes_gpc throws a monkey wrench (odd saying) in to the whole thing, but lets ignore I said that for now

    Personally, my advice though. If you're just starting out with php don't bother spending too much time on the mysql drivers. They've been replaced by mysqli (i as in 'improved') and php's own PDO. mysql is in the process of being depreciated. Look for PDO tutorials... it may seem a little abstract at first but will make your life easier in the long run - for example, PDO takes care of all the escape string stuff for you.

    There's a ton of mysql tutorials out there and most of them, expectedly, are quite out-dated. At this point they do a disservice.
    / soapbox
    "A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools."
    -- Douglas Adams

    Have you minified your CSS/JS lately?

  3. #3
    Join Date
    Jan 2006
    mysql_real_escape_string() should be used mainly to sanitize form data, or data that might be incoming on a url such as "get" data.

    Data that is in your database i.e. $row['somefield'] does not need it.

  4. #4
    Join Date
    Aug 2004
    Just a clarification here: when mysql_real_escape_string() is used to sanitize inputs before using them in a MySQL query (a very good thing to do, mind you), the back-slashes it puts in the string do not actually end up in the database, so there is no need to do a stripslashes() on data subsequently retrieved from the DB.

    So mysql_real_escape_string() is only intended for securing string data being used in a MySQL query string, but has no purpose when outputting data to a browser -- htmlspecialchars() or htmlentities() is more appropriate for that.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  5. #5
    Join Date
    Dec 2006
    wow thanks everyone for all the info.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
HTML5 Development Center