Page 2 of 2
Re: PHP escaping strings for me.
Posted: Tue Mar 10, 2009 10:58 am
by kaisellgren
Then you have to use a code snippet similar to the one I provided. (To "undo" MQGPC)
Re: PHP escaping strings for me.
Posted: Tue Mar 10, 2009 11:23 am
by JellyFish
kaisellgren wrote:Then you have to use a code snippet similar to the one I provided. (To "undo" MQGPC)
So you mean stripslashes? I could just use stripslashes on all of the variables that I will be using mysql_real_escape_string on. I don't know if I want to go through every gpc parameter and strip them of slashes. I probably would like to change hosting providers, lol.
What's a good hosting provider; I'm tired of godaddy's shared servers? I could go for one of their virtual dedicated or dedicated servers, but honestly, I don't think I like godaddy. Do you know of any good services? Which do you use? I need a server where I have a little more control. I heard slicehost.com was good, but I'm a newbie and I don't know if I'll be able to manage it. But then again, maybe it's just that I never managed a server before. How hard could it be? What are some of the essential things I need to know in order not to
smurf up anything?
I hope that's not to many questions for one post.

Re: PHP escaping strings for me.
Posted: Tue Mar 10, 2009 12:12 pm
by kaisellgren
You do not need to stripslash() manually, as you can see the code I gave does it all by itself...
DownTownHost is excellent for shared hosting. Hostineuro is excellent for VPS. Anhost is great for dedicated servers.
Re: PHP escaping strings for me.
Posted: Wed Mar 11, 2009 1:30 am
by Chris Corbyn
I'm pretty sure a php.ini file at the root of your site won't be loaded (is it?).
Perhaps try this, in a .htaccess file:
Depends if PHP is running as a module or as CGI.
Re: PHP escaping strings for me.
Posted: Wed Mar 11, 2009 11:34 am
by simonmlewis
I am also trying to user the mysql_real_escape_string()); however I now have a problem.
I have used it successfully for a login script - before it would allow a username and some "or" code to allow ANY one in.
But now I am trying to assign this to a search engine result page but I have seeing errors.
Here's one part of code which places a log in the database.
Code: Select all
$search=$_POST['search'];
mysql_query("INSERT INTO searchlog (keywords) VALUES ('$search')",
mysql_real_escape_string($search));
however the error it reports is:
Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource .... on line 7,
which is the mysql_real........ code.
Oddly, this is the same code, except for the $variable.
Simon
Re: PHP escaping strings for me.
Posted: Wed Mar 11, 2009 11:36 am
by kaisellgren
The code is wrong.
The escape must be made before the query and you must assign the escaped value into the variable. Further more, you are passing the escaped value as the resource link...
Code: Select all
$search=mysql_real_escape_string($_POST['search']);
mysql_query("INSERT INTO searchlog (keywords) VALUES ('$search')");
Re: PHP escaping strings for me.
Posted: Wed Mar 11, 2009 12:07 pm
by simonmlewis
Thanks.
In theory then, this should work too:
Code: Select all
$search=mysql_real_escape_string($_POST['$search']);
$result = mysql_query ('SELECT * FROM search WHERE keywords LIKE `%$search%` ORDER BY section ASC');
...though the
Code: Select all
$search=mysql_real_escape_string($_POST['$search']);
... is written at the top of the page in a <?php section so shouldn't need repeating.
The initial 'insert' code now works, but the query doesn't.
Re: PHP escaping strings for me.
Posted: Wed Mar 11, 2009 12:12 pm
by John Cartwright
change
$search=mysql_real_escape_string($_POST['$search']);
to
$search=mysql_real_escape_string($_POST['search']);
Re: PHP escaping strings for me.
Posted: Wed Mar 11, 2009 12:17 pm
by simonmlewis
Problem resolved.
It didn't like single quotes - preferred double quote, and then singles around the variable names.
Thanks.
Simon