Re: Slashes or no slashes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On Aug 23, 2010, at 8:35 PM, Chris wrote:




You use mysql_real_escape_string for queries on the way in.

$query = "select * from table where
name='".mysql_real_escape_string($_POST['name'])."'";

You use htmlspecialchars on the way out:

$value = htmlspecialchars($row['name']);


--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Ah.. thanks Chris.
If I want to compare that value I get from the database to what a user 
entered,
do I escape the value they entered or add htmlspecialchars to it before 
comparing it to what comes out of the database.
Sorry this is such a PHP 101 question. If you have time to respond,
please do, otherwise no worries, I am sure I will figure it out.
If you want to compare, you're doing a query - so use mysql_real_escape_string:
$query = "select blah from table where name='" . mysql_real_escape_string($_POST['name']) . "'"; 


When you print results, you use htmlspecialchars:
echo "Your search for " . htmlspecialchars($_POST['name']) . " returned X results<br/>"; 

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Thanks Again Chris,
To be more specific. Is this correct?

function confirmUP($username, $password){
	$username = mysql_real_escape_string($username);

      /* Verify that user is in database */
      $q = "SELECT password FROM TBL-U WHERE username = '$username'";
      $result = $this->query($q);
      if(!$result || (mysql_numrows($result) < 1)){
         return 1; //Indicates username failure
      }

      /* Retrieve password from result */
      $dbarray = mysql_fetch_array($result);
      $dbarray['password'] = htmlspecialchars($dbarray['password']);
      $password = mysql_real_escape_string(md5($password));
      $password = htmlspecialchars($password);

      /* Validate that password is correct */
      if($password == $dbarray['password']){
         return 0; //Success! Username and password confirmed
      }
      else{
         return 2; //Indicates password failure
      }
   }
The password was added to the database with md5() applied after escaping. 
Thank you for responding so quickly.

Karl DeSaulniers
Design Drumm
http://designdrumm.com


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]
  Powered by Linux