www.webdeveloper.com
Results 1 to 5 of 5

Thread: mysql_real_escape_string and strip_tags

  1. #1
    Join Date
    Dec 2006
    Posts
    15

    mysql_real_escape_string and strip_tags

    I have a few questions if its ok i been updating my site with mysql_real_escape_string and strip_tags the questions are below in the code thanks...

    questions and code:
    PHP Code:
    question 1
    Should this code?:
    <?php echo $rows['message']; ?>

    Be like this?:
    <?php echo mysql_real_escape_string(strip_tags($rows['message'])); ?>

    question 2
    For this code do i need to use the mysql_real_escape_string and strip_tags if so how?:

    $sql="SELECT sendto, from, created, status FROM list where status = '1'";

    question 3
    For the password fields should i also use the mysql_real_escape_string and strip_tags like this?:

    $password = mysql_real_escape_string(strip_tags($_POST['password']));

  2. #2
    Join Date
    May 2012
    Posts
    37
    Not really.

    mysql_real_escape_string will essentially add the escape character (\) to quotes (amongst a few others) in a string:

    PHP Code:
    $string "this 'is a test'";
    echo 
    mysql_real_escape_string($string);

    //Output
    // this \'is a test \' 
    Strip tags will remove < and >s from the string - basically, html tags.
    PHP Code:
    $test '<p>this is a test</p>';
    echo 
    strip_tags($test);

    //Output
    // this is a test 
    You want to use mysql_real_escape_string on data to prep it for insert in the database. Then probably stripslashes() before echoing it to the browser.

    magic_quotes_gpc throws a monkey wrench (odd saying) in to the whole thing, but lets ignore I said that for now

    soapbox
    Personally, my advice though. If you're just starting out with php don't bother spending too much time on the mysql drivers. They've been replaced by mysqli (i as in 'improved') and php's own PDO. mysql is in the process of being depreciated. Look for PDO tutorials... it may seem a little abstract at first but will make your life easier in the long run - for example, PDO takes care of all the escape string stuff for you.

    There's a ton of mysql tutorials out there and most of them, expectedly, are quite out-dated. At this point they do a disservice.
    / soapbox

  3. #3
    Join Date
    Jan 2006
    Location
    MN
    Posts
    440
    mysql_real_escape_string() should be used mainly to sanitize form data, or data that might be incoming on a url such as "get" data.

    Data that is in your database i.e. $row['somefield'] does not need it.

  4. #4
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,528
    Just a clarification here: when mysql_real_escape_string() is used to sanitize inputs before using them in a MySQL query (a very good thing to do, mind you), the back-slashes it puts in the string do not actually end up in the database, so there is no need to do a stripslashes() on data subsequently retrieved from the DB.

    So mysql_real_escape_string() is only intended for securing string data being used in a MySQL query string, but has no purpose when outputting data to a browser -- htmlspecialchars() or htmlentities() is more appropriate for that.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  5. #5
    Join Date
    Dec 2006
    Posts
    15
    wow thanks everyone for all the info.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles