PHP & MYSQL - Secure Variables Question

Discussion in 'PHP' started by belici, Feb 28, 2009.

0
  1. #1
    So,

    I Have A PHP Page That Allows My Members To Update They're Signature, But There's A Problem

    To Secure The Variables I Made This:
    $quote = mysql_real_escape_string($_POST["quote"]);
    PHP:
    The The $quote Is Sended To A mysql_query.

    There's The Problem With The " ' " Character (And Others). Even If I Use htmlentities() Is The Same Thing ( And real_escape_string Is More Used When Working With mySQL)

    How Can I Replace The "'" (If User Update's A Quote With That Character) Before Adding It To Database?

    Exemple If Using mysql_real_escape_string (Quote: "I Don't Think That I'm Soul-OverDarked"):
    Result => "I Don\'t Think That I\'m Soul-OverDarked" ( It Adds "\" )

    I Want To Clear That "\" If The User POSTs A Quote That Contains "'"

    Thanks
     
    belici, Feb 28, 2009 IP
  2. wmtips

    wmtips Well-Known Member

    Messages:
    601
    Likes Received:
    70
    Best Answers:
    1
    Trophy Points:
    150
    #2
    Read the manual - the main purpose of mysql_real_escape_string is "escape special characters in a string for use in a SQL statement". And now you want to remove escaped \' character and make your script completely unsecure? Learn more about SQL Injections, read this for the start.
     
    wmtips, Feb 28, 2009 IP
  3. BMR777

    BMR777 Well-Known Member

    Messages:
    145
    Likes Received:
    8
    Best Answers:
    1
    Trophy Points:
    140
    #3
    Yeah, you MUST use mysql_real_escape_string for security.

    For the place where the signature is be sure and use the stripslashes() PHP function. This will remove the slashes added by mysql_real_escape_string when you're ready to output the text to the user.

    So, basically:

    Data going in > mysql_real_escape_string
    Data coming out > stripslashes()

    :)
     
    BMR777, Feb 28, 2009 IP
  4. belici

    belici Guest

    Messages:
    95
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    @wmtips:
    I Used mysql_real_escape_string() To Prevent SQL Injection

    @BMR777:
    Thank You Very Much! I Used The stripslashes() On The Output Variable (From Another Page) And It Works...

    Great Comunity ;)
     
    belici, Feb 28, 2009 IP
  5. qualityfirst

    qualityfirst Peon

    Messages:
    147
    Likes Received:
    6
    Best Answers:
    1
    Trophy Points:
    0
    #5
    Beware of stipslashes() though. It will also strip any slashes if the user types them in themselves.
     
    qualityfirst, Feb 28, 2009 IP
  6. SmallPotatoes

    SmallPotatoes Peon

    Messages:
    1,321
    Likes Received:
    41
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Don't use mysql_real_escape_string() until you are actually ready to use the string in a query. Don't just do it straight away if you will also be displaying the string on the web page at the same time.
     
    SmallPotatoes, Feb 28, 2009 IP
  7. SmallPotatoes

    SmallPotatoes Peon

    Messages:
    1,321
    Likes Received:
    41
    Best Answers:
    0
    Trophy Points:
    0
    #7
    An example:

    
$quote = $_POST['quote'];
echo "<p>Your quote is: " . htmlspecialchars($quote) . "</p>";
$sql = "insert into database (quote) values ('" . mysql_real_escape_string($quote) . "')";
    Code (markup):
    Each function has its own purpose, and should be saved for the correct time and place.
     
    SmallPotatoes, Feb 28, 2009 IP