Escape user input

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Escape user input

Post by user___ »

Hi guys,
I have developed a function which escaped ta user input after it is parsed in a variable which contain the whole query. After I have browsed through some of the topics here I found out I was wrong.

Am I right that this lacks security at all?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Without seeing the code it's dificult to say, but it sounds like your trying to escape the whole query (only the variable should be escaped)
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

Yes, I do escape the whole query. So I have to rewrite it to escape only the input.
Something like this:

Code: Select all

function esc($sql) {
//Here is the escape
return $sql;
}
mysql_query(esc($sql));
Thank you.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

more along the lines of

Code: Select all

$username = isset($_POST['username']) ? mysql_real_escape_string($_POST['username']) : '';
$password = isset($_POST['password']) ? mysql_real_escape_string($_POST['password']) : '';

// SELECT * FROM `bleh` WHERE `user` = '$username' and `pass` = '$password'
Like I said, do not escape the whole query
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

Thank you man.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Reply

Post by John Cartwright »

user___ wrote:Thank you man.
My pleasure
Post Reply