Prev: CURDATE
Next: PgWest 2010 CFP (second call)
From: kapuoriginal on 19 Aug 2010 18:40 I think you should use prepared statements. Kapu -------------------------------------------------- From: "Karl DeSaulniers" <karl(a)designdrumm.com> Sent: Friday, August 20, 2010 12:05 AM To: <php-db(a)lists.php.net> Subject: Re: [PHP-DB] Slashes or no slashes > > On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote: > >> On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote: >> >>> You should be using >>> http://us2.php.net/manual/en/function.mysql-escape-string.php >>> >>> You don't need to search with extra slashes for retrieval. >>> >>>> -----Original Message----- >>>> From: Karl DeSaulniers [mailto:karl(a)designdrumm.com] >>>> Sent: Thursday, August 19, 2010 2:29 PM >>>> To: php-db(a)lists.php.net >>>> Subject: [PHP-DB] Slashes or no slashes >>>> >>>> Hello, >>>> When I add an item to my database and I use addslashes(), >>>> do I have to use addslashes() to a query that looks for that item? >>>> Or would I be adding double slashes and canceling my own result? >>>> TIA >>>> >>>> Karl DeSaulniers >>>> Design Drumm >>>> http://designdrumm.com >>>> >>>> >>> >>> >>> -- PHP Database Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >> >> >> Ah, but lets say I am using a character set utf-8, I should use >> mysql_real_escape_string() instead? >> Best, >> >> Karl DeSaulniers >> Design Drumm >> http://designdrumm.com >> >> >> -- >> PHP Database Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> > > > For a line like this.. > > return htmlspecialchars(stripslashes($this->values[$field])); > > would I change this to? > > return mysql_real_escape_string($this->values[$field]); > > Or do I still need the htmlspecialchars? In that case would I change > it to? > > return htmlspecialchars(mysql_real_escape_string($this->values > [$field])); > > TIA > > Karl DeSaulniers > Design Drumm > http://designdrumm.com > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php >
From: Karl DeSaulniers on 19 Aug 2010 19:07 Ahhh.. Kapu where were you three months ago?? :) Prepared statements sounds like the way to go, but at this point that would mean converting a lot of pages. I will have to investigate some more about this and convert the code over at a later date. For now I think mysql_real_escape_string will work for what I am doing. Thank you all for your responses. Again. Best, Karl On Aug 19, 2010, at 5:40 PM, <kapuoriginal(a)gmail.com> wrote: > I think you should use prepared statements. > > Kapu > > -------------------------------------------------- > From: "Karl DeSaulniers" <karl(a)designdrumm.com> > Sent: Friday, August 20, 2010 12:05 AM > To: <php-db(a)lists.php.net> > Subject: Re: [PHP-DB] Slashes or no slashes > >> On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote: >>> On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote: >>> >>>> You should be using >>>> http://us2.php.net/manual/en/function.mysql-escape-string.php >>>> >>>> You don't need to search with extra slashes for retrieval. >>>> >>>>> -----Original Message----- >>>>> From: Karl DeSaulniers [mailto:karl(a)designdrumm.com] >>>>> Sent: Thursday, August 19, 2010 2:29 PM >>>>> To: php-db(a)lists.php.net >>>>> Subject: [PHP-DB] Slashes or no slashes >>>>> >>>>> Hello, >>>>> When I add an item to my database and I use addslashes(), >>>>> do I have to use addslashes() to a query that looks for that item? >>>>> Or would I be adding double slashes and canceling my own result? >>>>> TIA >>>>> >>>>> Karl DeSaulniers >>>>> Design Drumm >>>>> http://designdrumm.com >>>>> >>>>> >>>> >>>> >>>> -- PHP Database Mailing List (http://www.php.net/) >>>> To unsubscribe, visit: http://www.php.net/unsub.php >>>> >>> >>> >>> Ah, but lets say I am using a character set utf-8, I should use >>> mysql_real_escape_string() instead? >>> Best, >>> >>> Karl DeSaulniers >>> Design Drumm >>> http://designdrumm.com >>> >>> >>> -- >>> PHP Database Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >> For a line like this.. >> return htmlspecialchars(stripslashes($this->values[$field])); >> would I change this to? >> return mysql_real_escape_string($this->values[$field]); >> Or do I still need the htmlspecialchars? In that case would I >> change it to? >> return htmlspecialchars(mysql_real_escape_string($this->values >> [$field])); >> TIA >> Karl DeSaulniers >> Design Drumm >> http://designdrumm.com >> -- >> PHP Database Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > Karl DeSaulniers Design Drumm http://designdrumm.com
From: Chris on 22 Aug 2010 20:12 On 20/08/10 08:05, Karl DeSaulniers wrote: > > On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote: > >> On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote: >> >>> You should be using >>> http://us2.php.net/manual/en/function.mysql-escape-string.php >>> >>> You don't need to search with extra slashes for retrieval. >>> >>>> -----Original Message----- >>>> From: Karl DeSaulniers [mailto:karl(a)designdrumm.com] >>>> Sent: Thursday, August 19, 2010 2:29 PM >>>> To: php-db(a)lists.php.net >>>> Subject: [PHP-DB] Slashes or no slashes >>>> >>>> Hello, >>>> When I add an item to my database and I use addslashes(), >>>> do I have to use addslashes() to a query that looks for that item? >>>> Or would I be adding double slashes and canceling my own result? >>>> TIA >>>> >>>> Karl DeSaulniers >>>> Design Drumm >>>> http://designdrumm.com >>>> >>>> >>> >>> >>> -- PHP Database Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >> >> >> Ah, but lets say I am using a character set utf-8, I should use >> mysql_real_escape_string() instead? >> Best, >> >> Karl DeSaulniers >> Design Drumm >> http://designdrumm.com >> >> >> -- >> PHP Database Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> > > > For a line like this.. > > return htmlspecialchars(stripslashes($this->values[$field])); > > would I change this to? > > return mysql_real_escape_string($this->values[$field]); > > Or do I still need the htmlspecialchars? In that case would I change it to? > > return htmlspecialchars(mysql_real_escape_string($this->values[$field])); You use mysql_real_escape_string for queries on the way in. $query = "select * from table where name='".mysql_real_escape_string($_POST['name'])."'"; You use htmlspecialchars on the way out: $value = htmlspecialchars($row['name']); -- Postgresql & php tutorials http://www.designmagick.com/
From: Karl DeSaulniers on 23 Aug 2010 21:22 On Aug 22, 2010, at 7:12 PM, Chris wrote: > On 20/08/10 08:05, Karl DeSaulniers wrote: >> >> On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote: >> >>> On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote: >>> >>>> You should be using >>>> http://us2.php.net/manual/en/function.mysql-escape-string.php >>>> >>>> You don't need to search with extra slashes for retrieval. >>>> >>>>> -----Original Message----- >>>>> From: Karl DeSaulniers [mailto:karl(a)designdrumm.com] >>>>> Sent: Thursday, August 19, 2010 2:29 PM >>>>> To: php-db(a)lists.php.net >>>>> Subject: [PHP-DB] Slashes or no slashes >>>>> >>>>> Hello, >>>>> When I add an item to my database and I use addslashes(), >>>>> do I have to use addslashes() to a query that looks for that item? >>>>> Or would I be adding double slashes and canceling my own result? >>>>> TIA >>>>> >>>>> Karl DeSaulniers >>>>> Design Drumm >>>>> http://designdrumm.com >>>>> >>>>> >>>> >>>> >>>> -- PHP Database Mailing List (http://www.php.net/) >>>> To unsubscribe, visit: http://www.php.net/unsub.php >>>> >>> >>> >>> Ah, but lets say I am using a character set utf-8, I should use >>> mysql_real_escape_string() instead? >>> Best, >>> >>> Karl DeSaulniers >>> Design Drumm >>> http://designdrumm.com >>> >>> >>> -- >>> PHP Database Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >> >> >> For a line like this.. >> >> return htmlspecialchars(stripslashes($this->values[$field])); >> >> would I change this to? >> >> return mysql_real_escape_string($this->values[$field]); >> >> Or do I still need the htmlspecialchars? In that case would I >> change it to? >> >> return htmlspecialchars(mysql_real_escape_string($this->values >> [$field])); > > You use mysql_real_escape_string for queries on the way in. > > $query = "select * from table where name='".mysql_real_escape_string > ($_POST['name'])."'"; > > You use htmlspecialchars on the way out: > > $value = htmlspecialchars($row['name']); > > > -- > Postgresql & php tutorials > http://www.designmagick.com/ > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > Ah.. thanks Chris. If I want to compare that value I get from the database to what a user entered, do I escape the value they entered or add htmlspecialchars to it before comparing it to what comes out of the database. Sorry this is such a PHP 101 question. If you have time to respond, please do, otherwise no worries, I am sure I will figure it out. Best, Karl DeSaulniers Design Drumm http://designdrumm.com
From: Chris on 23 Aug 2010 21:35
>> You use mysql_real_escape_string for queries on the way in. >> >> $query = "select * from table where >> name='".mysql_real_escape_string($_POST['name'])."'"; >> >> You use htmlspecialchars on the way out: >> >> $value = htmlspecialchars($row['name']); >> >> >> -- >> Postgresql & php tutorials >> http://www.designmagick.com/ >> >> >> -- >> PHP Database Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> > > > Ah.. thanks Chris. > If I want to compare that value I get from the database to what a user > entered, > do I escape the value they entered or add htmlspecialchars to it before > comparing it to what comes out of the database. > Sorry this is such a PHP 101 question. If you have time to respond, > please do, otherwise no worries, I am sure I will figure it out. If you want to compare, you're doing a query - so use mysql_real_escape_string: $query = "select blah from table where name='" . mysql_real_escape_string($_POST['name']) . "'"; When you print results, you use htmlspecialchars: echo "Your search for " . htmlspecialchars($_POST['name']) . " returned X results<br/>"; -- Postgresql & php tutorials http://www.designmagick.com/ |