mysql_real_escape_string problem

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
adsegzy
Forum Contributor
Posts: 184
Joined: Tue Jul 28, 2009 9:26 am

mysql_real_escape_string problem

Post by adsegzy »

Hello,

am having problem with my mysql_real_escape_string syntax which am using to prevent my database from injection.

i have my php file like this;

Code: Select all

<?php
$subject=mysql_real_escape_string($_POST[subject]);
$message=mysql_real_escape_string($_POST[message]);
echo = nl2br($message);
?>
if thte message is
Thank
you
very
much
it will echo it out as
thank/r/nyou/r/nvery/r/nmush
but if i change the syntax to

Code: Select all

<?php
$subject=addslashes($_POST[subject]);
$message=addslashes($_POST[message]);
echo = nl2br($message);
?>
it will echo it properly
thany
you
very
mush
can adslashes() be used instead of mysql_real_escape_string() and my database will still be prevented from injection or is there other syntax that i can use?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: mysql_real_escape_string problem

Post by Weirdan »

adsegzy wrote:can adslashes() be used instead of mysql_real_escape_string() and my database will still be prevented from injection
no.
or is there other syntax that i can use?
Your original code was right - if you put the data in the database and then fetched it back you'd see your message as it was intended.
adsegzy
Forum Contributor
Posts: 184
Joined: Tue Jul 28, 2009 9:26 am

Re: mysql_real_escape_string problem

Post by adsegzy »

but the members will be confused to see the way the message will be re-echo if in case the form is not submitted the first time. I am also have the internet newbees inmind too. Though this message may not go into the database. any other way out?
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: mysql_real_escape_string problem

Post by Apollo »

After

Code: Select all

$message=mysql_real_escape_string($_POST[message]);
$message is NOT (or at least not in general / guaranteed to be) suitable anymore to be printed as HTML output.

Consider mysql_real_escape_string($s) as a function that messes up $s, making it only suitable (and safe) to be used in an SQL query.
Post Reply