why .mysql_escape_string($_COOKIE['USERNAME']). ?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Milan
Forum Commoner
Posts: 97
Joined: Wed May 17, 2006 6:08 pm

why .mysql_escape_string($_COOKIE['USERNAME']). ?

Post by Milan »

in one of my previous posts you guys helped me to update the table, but one of you used

Code: Select all

.mysql_escape_string($_COOKIE['USERNAME']).


why is that better than if i used a plain $_COOKIE['USERNAME'] ?


full line is

Code: Select all

$query = "UPDATE `users` set `password` = $newp where `username` = '".mysql_escape_string($_COOKIE['username'])."'";
jonra
Forum Newbie
Posts: 22
Joined: Thu May 25, 2006 9:35 am
Location: Iowa
Contact:

Post by jonra »

It's a security risk to not use it. Without proper data cleaning, or even with just using 'addslashes' it is easy for a hacker to use injection to dig into the site structure. If you're using magic_quotes, you dont' need to use this - but you should probably use .htaccess to turn magic quotes off - or write code that checks for it being on or off.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

And now you are supposed to use mysql_real_escape_string() instead (see the docs).
(#10850)
Milan
Forum Commoner
Posts: 97
Joined: Wed May 17, 2006 6:08 pm

Post by Milan »

once again fast and precise answer :)

you people are priceless
Post Reply