But, also, I thought, mysql_real_escape_string() is "filter" for
everything, e.g. lets have three links (add, delete, edit) as
<a href=index.php?action=add&rec_id=$rec_id>Add new</a>
<a href=index.php?action=edit&rec_id=$rec_id>Edit</a>
<a href=index.php?action=delete&rec_id=$rec_id>Delete</a>
and was doing this way:
#index.php
<?php
if($_GET['action'])
{
$action = mysql_real_escape_string($_GET['action']);
$rec_id = mysql_real_escape_string($_GET['rec_id']);
switch($action)
{
case 'add':
// add new record
break;
case 'edit':
// edit record
break;
case 'delete':
// delete record
break;
}
}
?>
it means that $action I will never store in DB, neither show on screen. I
then wrong to
$action = mysql_real_escape_string($_GET['action']);
or I should
$action = htmlentities($_GET['action']);
or
$action = $_GET['action'];
is just fine?
I', really confused.
One thing that might help is to understand why you are doing
something. As everyone has said, mysql_real_escape_string escapes
characters to prevent SQL injection. The reason we do this is to tell
the system that the data we are putting into the system is just data,
not syntax characters.
An example is this:
Say I want to echo out a string exactly "variables should be in this
format: $variable". So I make this code block:
<?php
echo "variables should be in this format: $variable";
?>
That would give this output:
variables should be in this format:
And throw this error:
[error] PHP Notice: Undefined variable: variable in
/Users/eric/Sites/meh.php on line 3
The reason is because PHP parsed $variable and saw that it was
undefined. So to get it to show up I would have to do this:
<?php
echo "variables should be in this format: \$variable";
?>
And I get this output:
variables should be in this format: $variable
By adding the \ infront of the $ I escaped it and told the parser to
ignore that. That is what all functions like mysql_real_escape_string
and htmlentities do. They tell whatever parser to ignore what is
happening (more or less:))
So when you have a page like this:
page.php?id=34
... that eventually gets piped into this ...
$sql = "SELECT id, title FROM sometable WHERE id='". $_GET['id'] ."'";
People will know that 34 is being put into a DB. So they might try to
add raw SQL commands to your ?id=. This is why we use
mysql_real_escape_string to prevent people from injecting SQL commands
into your raw data. It is also used to prevent your data from mixing
with SQL commands too like if you had a form that submitted an input
field to update a table and I type in "Eric's Data" would end up:
UPDATE sometable SET title = 'Eric's Data' WHERE id=32;
This would cause an error "You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near 's Data' WHERE id=32' at line 1" That is why magic
quotes exists. It automatically escapes quotes for you so that you
don't have to worry about this. So on POSTing of this form "Eric's
Data" becomes "Eric\'s Data".
When you addslashes or use mysql_real_escape_string with magic quotes
on it will add another escape \ to the quote (leading to "Eric\\'s
Data) which would lead to you having to use stripslahes when you pull
this record back out of sometable. As you have read, you shouldn't
have to use stripslashes. mysql_real_escape_string and stripslahes
only escape characters for the SQL query to work. They don't actually
go into the database just like when we did echo "\$variable"; you
didn't see \$variable in the output.
Hopefully this will clear up a few things for you.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
