Ok. Looks like I DID miss the point :)
I thought that with mysql_real_escape_string() HAVE TO add slash in front
of a quote and THAT's filtering.
:(
Ok. slash SHOULDN'T be in DB!
:)
>> But, also, I thought, mysql_real_escape_string() is "filter" for
>> everything, e.g. lets have three links (add, delete, edit) as
>> <a href=index.php?action=add&rec_id=$rec_id>Add new</a>
>> <a href=index.php?action=edit&rec_id=$rec_id>Edit</a>
>> <a href=index.php?action=delete&rec_id=$rec_id>Delete</a>
>> and was doing this way:
>> #index.php
>> <?php
>> if($_GET['action'])
>> {
>> $action = mysql_real_escape_string($_GET['action']);
>> $rec_id = mysql_real_escape_string($_GET['rec_id']);
>> switch($action)
>> {
>> case 'add':
>> // add new record
>> break;
>>
>> case 'edit':
>> // edit record
>> break;
>>
>> case 'delete':
>> // delete record
>> break;
>> }
>> }
>> ?>
>>
>> it means that $action I will never store in DB, neither show on screen.
>> I
>> then wrong to
>> $action = mysql_real_escape_string($_GET['action']);
>> or I should
>> $action = htmlentities($_GET['action']);
>> or
>> $action = $_GET['action'];
>> is just fine?
>>
>> I', really confused.
>
> One thing that might help is to understand why you are doing
> something. As everyone has said, mysql_real_escape_string escapes
> characters to prevent SQL injection. The reason we do this is to tell
> the system that the data we are putting into the system is just data,
> not syntax characters.
>
> An example is this:
>
> Say I want to echo out a string exactly "variables should be in this
> format: $variable". So I make this code block:
>
> <?php
> echo "variables should be in this format: $variable";
> ?>
>
> That would give this output:
> variables should be in this format:
>
> And throw this error:
> [error] PHP Notice: Undefined variable: variable in
> /Users/eric/Sites/meh.php on line 3
>
> The reason is because PHP parsed $variable and saw that it was
> undefined. So to get it to show up I would have to do this:
>
> <?php
> echo "variables should be in this format: \$variable";
> ?>
>
> And I get this output:
> variables should be in this format: $variable
>
> By adding the \ infront of the $ I escaped it and told the parser to
> ignore that. That is what all functions like mysql_real_escape_string
> and htmlentities do. They tell whatever parser to ignore what is
> happening (more or less:))
>
> So when you have a page like this:
> page.php?id=34
> ... that eventually gets piped into this ...
> $sql = "SELECT id, title FROM sometable WHERE id='". $_GET['id'] ."'";
>
> People will know that 34 is being put into a DB. So they might try to
> add raw SQL commands to your ?id=. This is why we use
> mysql_real_escape_string to prevent people from injecting SQL commands
> into your raw data. It is also used to prevent your data from mixing
> with SQL commands too like if you had a form that submitted an input
> field to update a table and I type in "Eric's Data" would end up:
>
> UPDATE sometable SET title = 'Eric's Data' WHERE id=32;
>
> This would cause an error "You have an error in your SQL syntax; check
> the manual that corresponds to your MySQL server version for the right
> syntax to use near 's Data' WHERE id=32' at line 1" That is why magic
> quotes exists. It automatically escapes quotes for you so that you
> don't have to worry about this. So on POSTing of this form "Eric's
> Data" becomes "Eric\'s Data".
>
> When you addslashes or use mysql_real_escape_string with magic quotes
> on it will add another escape \ to the quote (leading to "Eric\\'s
> Data) which would lead to you having to use stripslahes when you pull
> this record back out of sometable. As you have read, you shouldn't
> have to use stripslashes. mysql_real_escape_string and stripslahes
> only escape characters for the SQL query to work. They don't actually
> go into the database just like when we did echo "\$variable"; you
> didn't see \$variable in the output.
>
> Hopefully this will clear up a few things for you.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
