mysql_real_escape_string and strip_tags
I have a few questions if its ok i been updating my site with mysql_real_escape_string and strip_tags the questions are below in the code thanks...
questions and code:
Should this code?:
<?php echo $rows['message']; ?>
Be like this?:
<?php echo mysql_real_escape_string(strip_tags($rows['message'])); ?>
For this code do i need to use the mysql_real_escape_string and strip_tags if so how?:
$sql="SELECT sendto, from, created, status FROM list where status = '1'";
For the password fields should i also use the mysql_real_escape_string and strip_tags like this?:
$password = mysql_real_escape_string(strip_tags($_POST['password']));
mysql_real_escape_string will essentially add the escape character (\) to quotes (amongst a few others) in a string:
Strip tags will remove < and >s from the string - basically, html tags.
$string = "this 'is a test'";
// this \'is a test \'
You want to use mysql_real_escape_string on data to prep it for insert in the database. Then probably stripslashes() before echoing it to the browser.
$test = '<p>this is a test</p>';
// this is a test
magic_quotes_gpc throws a monkey wrench (odd saying) in to the whole thing, but lets ignore I said that for now
Personally, my advice though. If you're just starting out with php don't bother spending too much time on the mysql drivers. They've been replaced by mysqli (i as in 'improved') and php's own PDO. mysql is in the process of being depreciated. Look for PDO tutorials... it may seem a little abstract at first but will make your life easier in the long run - for example, PDO takes care of all the escape string stuff for you.
There's a ton of mysql tutorials out there and most of them, expectedly, are quite out-dated. At this point they do a disservice.
mysql_real_escape_string() should be used mainly to sanitize form data, or data that might be incoming on a url such as "get" data.
Data that is in your database i.e. $row['somefield'] does not need it.
Just a clarification here: when mysql_real_escape_string() is used to sanitize inputs before using them in a MySQL query (a very good thing to do, mind you), the back-slashes it puts in the string do not actually end up in the database, so there is no need to do a stripslashes() on data subsequently retrieved from the DB.
So mysql_real_escape_string() is only intended for securing string data being used in a MySQL query string, but has no purpose when outputting data to a browser -- htmlspecialchars() or htmlentities() is more appropriate for that.
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
wow thanks everyone for all the info.
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)