PHP escaping strings for me.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP escaping strings for me.

Post by kaisellgren »

Then you have to use a code snippet similar to the one I provided. (To "undo" MQGPC)
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Re: PHP escaping strings for me.

Post by JellyFish »

kaisellgren wrote:Then you have to use a code snippet similar to the one I provided. (To "undo" MQGPC)
So you mean stripslashes? I could just use stripslashes on all of the variables that I will be using mysql_real_escape_string on. I don't know if I want to go through every gpc parameter and strip them of slashes. I probably would like to change hosting providers, lol.

What's a good hosting provider; I'm tired of godaddy's shared servers? I could go for one of their virtual dedicated or dedicated servers, but honestly, I don't think I like godaddy. Do you know of any good services? Which do you use? I need a server where I have a little more control. I heard slicehost.com was good, but I'm a newbie and I don't know if I'll be able to manage it. But then again, maybe it's just that I never managed a server before. How hard could it be? What are some of the essential things I need to know in order not to smurf up anything?

I hope that's not to many questions for one post. :P
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP escaping strings for me.

Post by kaisellgren »

You do not need to stripslash() manually, as you can see the code I gave does it all by itself...

DownTownHost is excellent for shared hosting. Hostineuro is excellent for VPS. Anhost is great for dedicated servers.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: PHP escaping strings for me.

Post by Chris Corbyn »

I'm pretty sure a php.ini file at the root of your site won't be loaded (is it?).

Perhaps try this, in a .htaccess file:

Code: Select all

php_flag magic_quotes_gpc off
Depends if PHP is running as a module or as CGI.
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: PHP escaping strings for me.

Post by simonmlewis »

I am also trying to user the mysql_real_escape_string()); however I now have a problem.

I have used it successfully for a login script - before it would allow a username and some "or" code to allow ANY one in.

But now I am trying to assign this to a search engine result page but I have seeing errors.

Here's one part of code which places a log in the database.

Code: Select all

 
$search=$_POST['search'];
 
mysql_query("INSERT INTO searchlog (keywords) VALUES ('$search')", 
mysql_real_escape_string($search));
 
however the error it reports is:
Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource .... on line 7,
which is the mysql_real........ code.

Oddly, this is the same code, except for the $variable.

Simon
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP escaping strings for me.

Post by kaisellgren »

The code is wrong.

The escape must be made before the query and you must assign the escaped value into the variable. Further more, you are passing the escaped value as the resource link...

Code: Select all

$search=mysql_real_escape_string($_POST['search']);
mysql_query("INSERT INTO searchlog (keywords) VALUES ('$search')");
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: PHP escaping strings for me.

Post by simonmlewis »

Thanks.

In theory then, this should work too:

Code: Select all

 
$search=mysql_real_escape_string($_POST['$search']);
$result = mysql_query ('SELECT * FROM search WHERE keywords LIKE `%$search%` ORDER BY section ASC');
...though the

Code: Select all

$search=mysql_real_escape_string($_POST['$search']);
... is written at the top of the page in a <?php section so shouldn't need repeating.

The initial 'insert' code now works, but the query doesn't.
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: PHP escaping strings for me.

Post by John Cartwright »

change

$search=mysql_real_escape_string($_POST['
$search']);

to

$search=mysql_real_escape_string($_POST['search']);
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: PHP escaping strings for me.

Post by simonmlewis »

Problem resolved.

It didn't like single quotes - preferred double quote, and then singles around the variable names.

Thanks.
Simon
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
Post Reply