/    Sign up×
Community /Pin to ProfileBookmark

mysql_real_escape_string and strip_tags

Copy linkTweet thisAlerts:
May 27.2012

I have a few questions if its ok i been updating my site with mysql_real_escape_string and strip_tags the questions are below in the code thanks…

questions and code:

[code=php]
question 1
Should this code?:
<?php echo $rows[‘message’]; ?>

Be like this?:
<?php echo mysql_real_escape_string(strip_tags($rows[‘message’])); ?>

question 2
For this code do i need to use the mysql_real_escape_string and strip_tags if so how?:

$sql=”SELECT sendto, from, created, status FROM list where status = ‘1’”;

question 3
For the password fields should i also use the mysql_real_escape_string and strip_tags like this?:

$password = mysql_real_escape_string(strip_tags($_POST[‘password’]));

[/code]

to post a comment
PHP

4 Comments(s)

Copy linkTweet thisAlerts:
@g0dzuki99May 27.2012 — Not really.

mysql_real_escape_string will essentially add the escape character () to quotes (amongst a few others) in a string:

[code=php]
$string = "this 'is a test'";
echo mysql_real_escape_string($string);

//Output
// this 'is a test '
[/code]

Strip tags will remove < and >s from the string - basically, html tags.
[code=php]
$test = '<p>this is a test</p>';
echo strip_tags($test);

//Output
// this is a test
[/code]

You want to use mysql_real_escape_string on data to prep it for insert in the database. Then probably stripslashes() before echoing it to the browser.

magic_quotes_gpc throws a monkey wrench (odd saying) in to the whole thing, but lets ignore I said that for now ?

soapbox

Personally, my advice though. If you're just starting out with php don't bother spending too much time on the mysql drivers. They've been replaced by mysqli (i as in 'improved') and php's own PDO. mysql is in the process of being depreciated. Look for PDO tutorials... it may seem a little abstract at first but will make your life easier in the long run - for example, PDO takes care of all the escape string stuff for you.

There's a ton of mysql tutorials out there and most of them, expectedly, are quite out-dated. At this point they do a disservice.

/ soapbox
Copy linkTweet thisAlerts:
@DasherMay 27.2012 — mysql_real_escape_string() should be used mainly to sanitize form data, or data that might be incoming on a url such as "get" data.

Data that is in your database i.e. $row['somefield'] does not need it.
Copy linkTweet thisAlerts:
@NogDogMay 27.2012 — Just a clarification here: when mysql_real_escape_string() is used to sanitize inputs before using them in a MySQL query (a very good thing to do, mind you), the back-slashes it puts in the string [I]do not actually end up in the database,[/I] so there is no need to do a stripslashes() on data subsequently retrieved from the DB.

So mysql_real_escape_string() is only intended for securing string data being used in a MySQL query string, but has no purpose when outputting data to a browser -- htmlspecialchars() or htmlentities() is more appropriate for that.
Copy linkTweet thisAlerts:
@ycpc55authorMay 27.2012 — wow thanks everyone for all the info.
×

Success!

Help @ycpc55 spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.16,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @nearjob,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,
)...