PHP escaping strings for me.
Moderator: General Moderators
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP escaping strings for me.
Then you have to use a code snippet similar to the one I provided. (To "undo" MQGPC)
Re: PHP escaping strings for me.
So you mean stripslashes? I could just use stripslashes on all of the variables that I will be using mysql_real_escape_string on. I don't know if I want to go through every gpc parameter and strip them of slashes. I probably would like to change hosting providers, lol.kaisellgren wrote:Then you have to use a code snippet similar to the one I provided. (To "undo" MQGPC)
What's a good hosting provider; I'm tired of godaddy's shared servers? I could go for one of their virtual dedicated or dedicated servers, but honestly, I don't think I like godaddy. Do you know of any good services? Which do you use? I need a server where I have a little more control. I heard slicehost.com was good, but I'm a newbie and I don't know if I'll be able to manage it. But then again, maybe it's just that I never managed a server before. How hard could it be? What are some of the essential things I need to know in order not to smurf up anything?
I hope that's not to many questions for one post.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP escaping strings for me.
You do not need to stripslash() manually, as you can see the code I gave does it all by itself...
DownTownHost is excellent for shared hosting. Hostineuro is excellent for VPS. Anhost is great for dedicated servers.
DownTownHost is excellent for shared hosting. Hostineuro is excellent for VPS. Anhost is great for dedicated servers.
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Re: PHP escaping strings for me.
I'm pretty sure a php.ini file at the root of your site won't be loaded (is it?).
Perhaps try this, in a .htaccess file:
Depends if PHP is running as a module or as CGI.
Perhaps try this, in a .htaccess file:
Code: Select all
php_flag magic_quotes_gpc off-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: PHP escaping strings for me.
I am also trying to user the mysql_real_escape_string()); however I now have a problem.
I have used it successfully for a login script - before it would allow a username and some "or" code to allow ANY one in.
But now I am trying to assign this to a search engine result page but I have seeing errors.
Here's one part of code which places a log in the database.
however the error it reports is:
Oddly, this is the same code, except for the $variable.
Simon
I have used it successfully for a login script - before it would allow a username and some "or" code to allow ANY one in.
But now I am trying to assign this to a search engine result page but I have seeing errors.
Here's one part of code which places a log in the database.
Code: Select all
$search=$_POST['search'];
mysql_query("INSERT INTO searchlog (keywords) VALUES ('$search')",
mysql_real_escape_string($search));
which is the mysql_real........ code.Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource .... on line 7,
Oddly, this is the same code, except for the $variable.
Simon
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP escaping strings for me.
The code is wrong.
The escape must be made before the query and you must assign the escaped value into the variable. Further more, you are passing the escaped value as the resource link...
The escape must be made before the query and you must assign the escaped value into the variable. Further more, you are passing the escaped value as the resource link...
Code: Select all
$search=mysql_real_escape_string($_POST['search']);
mysql_query("INSERT INTO searchlog (keywords) VALUES ('$search')");-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: PHP escaping strings for me.
Thanks.
In theory then, this should work too:
...though the
... is written at the top of the page in a <?php section so shouldn't need repeating.
The initial 'insert' code now works, but the query doesn't.
In theory then, this should work too:
Code: Select all
$search=mysql_real_escape_string($_POST['$search']);
$result = mysql_query ('SELECT * FROM search WHERE keywords LIKE `%$search%` ORDER BY section ASC');Code: Select all
$search=mysql_real_escape_string($_POST['$search']);The initial 'insert' code now works, but the query doesn't.
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: PHP escaping strings for me.
change
$search=mysql_real_escape_string($_POST['$search']);
to
$search=mysql_real_escape_string($_POST['search']);
$search=mysql_real_escape_string($_POST['$search']);
to
$search=mysql_real_escape_string($_POST['search']);
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: PHP escaping strings for me.
Problem resolved.
It didn't like single quotes - preferred double quote, and then singles around the variable names.
Thanks.
Simon
It didn't like single quotes - preferred double quote, and then singles around the variable names.
Thanks.
Simon
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.