From: kapuoriginal on
I think you should use prepared statements.

Kapu

--------------------------------------------------
From: "Karl DeSaulniers" <karl(a)designdrumm.com>
Sent: Friday, August 20, 2010 12:05 AM
To: <php-db(a)lists.php.net>
Subject: Re: [PHP-DB] Slashes or no slashes

>
> On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
>
>> On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
>>
>>> You should be using
>>> http://us2.php.net/manual/en/function.mysql-escape-string.php
>>>
>>> You don't need to search with extra slashes for retrieval.
>>>
>>>> -----Original Message-----
>>>> From: Karl DeSaulniers [mailto:karl(a)designdrumm.com]
>>>> Sent: Thursday, August 19, 2010 2:29 PM
>>>> To: php-db(a)lists.php.net
>>>> Subject: [PHP-DB] Slashes or no slashes
>>>>
>>>> Hello,
>>>> When I add an item to my database and I use addslashes(),
>>>> do I have to use addslashes() to a query that looks for that item?
>>>> Or would I be adding double slashes and canceling my own result?
>>>> TIA
>>>>
>>>> Karl DeSaulniers
>>>> Design Drumm
>>>> http://designdrumm.com
>>>>
>>>>
>>>
>>>
>>> -- PHP Database Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>
>>
>> Ah, but lets say I am using a character set utf-8, I should use
>> mysql_real_escape_string() instead?
>> Best,
>>
>> Karl DeSaulniers
>> Design Drumm
>> http://designdrumm.com
>>
>>
>> --
>> PHP Database Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
>
> For a line like this..
>
> return htmlspecialchars(stripslashes($this->values[$field]));
>
> would I change this to?
>
> return mysql_real_escape_string($this->values[$field]);
>
> Or do I still need the htmlspecialchars? In that case would I change
> it to?
>
> return htmlspecialchars(mysql_real_escape_string($this->values
> [$field]));
>
> TIA
>
> Karl DeSaulniers
> Design Drumm
> http://designdrumm.com
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
From: Karl DeSaulniers on
Ahhh.. Kapu where were you three months ago?? :)
Prepared statements sounds like the way to go,
but at this point that would mean converting a lot of pages.
I will have to investigate some more about this and convert the code
over at a later date.
For now I think mysql_real_escape_string will work for what I am doing.
Thank you all for your responses. Again.

Best,

Karl


On Aug 19, 2010, at 5:40 PM, <kapuoriginal(a)gmail.com> wrote:

> I think you should use prepared statements.
>
> Kapu
>
> --------------------------------------------------
> From: "Karl DeSaulniers" <karl(a)designdrumm.com>
> Sent: Friday, August 20, 2010 12:05 AM
> To: <php-db(a)lists.php.net>
> Subject: Re: [PHP-DB] Slashes or no slashes
>
>> On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
>>> On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
>>>
>>>> You should be using
>>>> http://us2.php.net/manual/en/function.mysql-escape-string.php
>>>>
>>>> You don't need to search with extra slashes for retrieval.
>>>>
>>>>> -----Original Message-----
>>>>> From: Karl DeSaulniers [mailto:karl(a)designdrumm.com]
>>>>> Sent: Thursday, August 19, 2010 2:29 PM
>>>>> To: php-db(a)lists.php.net
>>>>> Subject: [PHP-DB] Slashes or no slashes
>>>>>
>>>>> Hello,
>>>>> When I add an item to my database and I use addslashes(),
>>>>> do I have to use addslashes() to a query that looks for that item?
>>>>> Or would I be adding double slashes and canceling my own result?
>>>>> TIA
>>>>>
>>>>> Karl DeSaulniers
>>>>> Design Drumm
>>>>> http://designdrumm.com
>>>>>
>>>>>
>>>>
>>>>
>>>> -- PHP Database Mailing List (http://www.php.net/)
>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>>
>>>
>>>
>>> Ah, but lets say I am using a character set utf-8, I should use
>>> mysql_real_escape_string() instead?
>>> Best,
>>>
>>> Karl DeSaulniers
>>> Design Drumm
>>> http://designdrumm.com
>>>
>>>
>>> --
>>> PHP Database Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>> For a line like this..
>> return htmlspecialchars(stripslashes($this->values[$field]));
>> would I change this to?
>> return mysql_real_escape_string($this->values[$field]);
>> Or do I still need the htmlspecialchars? In that case would I
>> change it to?
>> return htmlspecialchars(mysql_real_escape_string($this->values
>> [$field]));
>> TIA
>> Karl DeSaulniers
>> Design Drumm
>> http://designdrumm.com
>> --
>> PHP Database Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

Karl DeSaulniers
Design Drumm
http://designdrumm.com

From: Chris on
On 20/08/10 08:05, Karl DeSaulniers wrote:
>
> On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
>
>> On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
>>
>>> You should be using
>>> http://us2.php.net/manual/en/function.mysql-escape-string.php
>>>
>>> You don't need to search with extra slashes for retrieval.
>>>
>>>> -----Original Message-----
>>>> From: Karl DeSaulniers [mailto:karl(a)designdrumm.com]
>>>> Sent: Thursday, August 19, 2010 2:29 PM
>>>> To: php-db(a)lists.php.net
>>>> Subject: [PHP-DB] Slashes or no slashes
>>>>
>>>> Hello,
>>>> When I add an item to my database and I use addslashes(),
>>>> do I have to use addslashes() to a query that looks for that item?
>>>> Or would I be adding double slashes and canceling my own result?
>>>> TIA
>>>>
>>>> Karl DeSaulniers
>>>> Design Drumm
>>>> http://designdrumm.com
>>>>
>>>>
>>>
>>>
>>> -- PHP Database Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>
>>
>> Ah, but lets say I am using a character set utf-8, I should use
>> mysql_real_escape_string() instead?
>> Best,
>>
>> Karl DeSaulniers
>> Design Drumm
>> http://designdrumm.com
>>
>>
>> --
>> PHP Database Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
>
> For a line like this..
>
> return htmlspecialchars(stripslashes($this->values[$field]));
>
> would I change this to?
>
> return mysql_real_escape_string($this->values[$field]);
>
> Or do I still need the htmlspecialchars? In that case would I change it to?
>
> return htmlspecialchars(mysql_real_escape_string($this->values[$field]));

You use mysql_real_escape_string for queries on the way in.

$query = "select * from table where
name='".mysql_real_escape_string($_POST['name'])."'";

You use htmlspecialchars on the way out:

$value = htmlspecialchars($row['name']);


--
Postgresql & php tutorials
http://www.designmagick.com/

From: Karl DeSaulniers on

On Aug 22, 2010, at 7:12 PM, Chris wrote:

> On 20/08/10 08:05, Karl DeSaulniers wrote:
>>
>> On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
>>
>>> On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
>>>
>>>> You should be using
>>>> http://us2.php.net/manual/en/function.mysql-escape-string.php
>>>>
>>>> You don't need to search with extra slashes for retrieval.
>>>>
>>>>> -----Original Message-----
>>>>> From: Karl DeSaulniers [mailto:karl(a)designdrumm.com]
>>>>> Sent: Thursday, August 19, 2010 2:29 PM
>>>>> To: php-db(a)lists.php.net
>>>>> Subject: [PHP-DB] Slashes or no slashes
>>>>>
>>>>> Hello,
>>>>> When I add an item to my database and I use addslashes(),
>>>>> do I have to use addslashes() to a query that looks for that item?
>>>>> Or would I be adding double slashes and canceling my own result?
>>>>> TIA
>>>>>
>>>>> Karl DeSaulniers
>>>>> Design Drumm
>>>>> http://designdrumm.com
>>>>>
>>>>>
>>>>
>>>>
>>>> -- PHP Database Mailing List (http://www.php.net/)
>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>>
>>>
>>>
>>> Ah, but lets say I am using a character set utf-8, I should use
>>> mysql_real_escape_string() instead?
>>> Best,
>>>
>>> Karl DeSaulniers
>>> Design Drumm
>>> http://designdrumm.com
>>>
>>>
>>> --
>>> PHP Database Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>
>>
>> For a line like this..
>>
>> return htmlspecialchars(stripslashes($this->values[$field]));
>>
>> would I change this to?
>>
>> return mysql_real_escape_string($this->values[$field]);
>>
>> Or do I still need the htmlspecialchars? In that case would I
>> change it to?
>>
>> return htmlspecialchars(mysql_real_escape_string($this->values
>> [$field]));
>
> You use mysql_real_escape_string for queries on the way in.
>
> $query = "select * from table where name='".mysql_real_escape_string
> ($_POST['name'])."'";
>
> You use htmlspecialchars on the way out:
>
> $value = htmlspecialchars($row['name']);
>
>
> --
> Postgresql & php tutorials
> http://www.designmagick.com/
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>


Ah.. thanks Chris.
If I want to compare that value I get from the database to what a
user entered,
do I escape the value they entered or add htmlspecialchars to it
before comparing it to what comes out of the database.
Sorry this is such a PHP 101 question. If you have time to respond,
please do, otherwise no worries, I am sure I will figure it out.
Best,

Karl DeSaulniers
Design Drumm
http://designdrumm.com

From: Chris on

>> You use mysql_real_escape_string for queries on the way in.
>>
>> $query = "select * from table where
>> name='".mysql_real_escape_string($_POST['name'])."'";
>>
>> You use htmlspecialchars on the way out:
>>
>> $value = htmlspecialchars($row['name']);
>>
>>
>> --
>> Postgresql & php tutorials
>> http://www.designmagick.com/
>>
>>
>> --
>> PHP Database Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
>
> Ah.. thanks Chris.
> If I want to compare that value I get from the database to what a user
> entered,
> do I escape the value they entered or add htmlspecialchars to it before
> comparing it to what comes out of the database.
> Sorry this is such a PHP 101 question. If you have time to respond,
> please do, otherwise no worries, I am sure I will figure it out.

If you want to compare, you're doing a query - so use
mysql_real_escape_string:

$query = "select blah from table where name='" .
mysql_real_escape_string($_POST['name']) . "'";


When you print results, you use htmlspecialchars:

echo "Your search for " . htmlspecialchars($_POST['name']) . " returned
X results<br/>";

--
Postgresql & php tutorials
http://www.designmagick.com/

First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4
Prev: CURDATE
Next: PgWest 2010 CFP (second call)