Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
need guidance on how this mysql real escape string works on this statement, i don't want mysqli and the pdo types. i have tried it, but it is not working, need some help about this
$UserName =mysql_real_escape_string($_POST['UserName']);
$password =mysql_real_escape_string($_POST['Password']);
// Insert data into mysql
$sql1="INSERT INTO UserDetail (UserName,Password,Email_Address,Verifycode,AcoountStatus)VALUES('$UserName','$encry_pass','$email','$verify_code','Inactive')";
it is not working … the strings like />., still can be enter in the sql database
It is working.
mysql_real_escape_string is a function that escapes characters which have special meaning in SQL.
/ and > do not have special meaning in SQL, so it shouldn't touch them.
If they did have special meaning, then the point of the function is to allow them to be inserted into the database. It makes changes such as converting ' (meaning "Start or end an SQL string") to \' (meaning "An apostrophe").
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 5 years ago.
Improve this question
This is PHP's procedural way of using mysqli_real_escape_string:
$city = "'s Hertogenbosch";
$city = mysqli_real_escape_string($link, $city);
As you can see, the method requires two parameters:
The connection / link
The string
Why do I need to specify the link? What If I just want to parse a regular string and then return an escaped string?
Here is how the function is described in the documentation (emphasis mine):
Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection
The connection is needed to determine the character set to use when escaping the string, which is important for security.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 6 years ago.
Improve this question
select * from files where filename=\'this.txt\''
I looked at MySQL is not inserting a backslash and couldn't see the the exact reason why \ was being dropped.
Long story short (I know the security implications...) the above is stored in a cell. The contents of the cell then gets executed. My question is why isn't there an issue with the backward slashes being present?
In short, why does this work when I would have thought the correct way would be
select * from files where filename='this.txt'
The PHP comes in how the query is ran
$result = mysqli_query($db,$query)
ESCAPE Character is usually work while put it twice.
if you want to store backward slash then you have escape it by adding on more \\.
You will find complete reference here
http://dev.mysql.com/doc/refman/5.7/en/string-literals.html
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
When is it better to escape data in json (to avoid cross-site scripting)?
1. To return escaped data
2. To escape in javascript when we use json to update page.
I try to escape on server, but some jquery functions escape data too, so after update of page
data looks different.
Data formats should be kept as clean as possible. Put the raw data in the JSON. Escape it only when JSON requires it (e.g. when you have a " character in a string).
When you take the data out of JSON and put it somewhere else (e.g. in an HTML document, into the DOM, into an SQL query, etc) then escape it appropriately for where you are putting it.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
How can I submit any kind of symbols to php and update it into my database tables? When I use some symbols ('!##$%^&*()_+=), it does not update the database table.
Can anybody help me?
You can use the htmlspecialchars() in which you can find the documentation here.
http://us.php.net/htmlspecialchars
Use function htmlentities()
The values will not be stored in the database as they are like ('!##$%^&*()_+=) but this function will change your " to " and other characters respectively.
Keep aware yourself of SQL Injection and XSS. If you do not filter your inputs properly then your code will be vulnerable to script kiddies.
You could use the htmlentities() function. It's the best solution I think.
If you really really don't want to use this function for some reason you can always change the column type to text instead of varchar.
Edit: sorry for using the wrong function. You guys are right. Maybe mysql_real_escape_string() does the job but probably it would only take care of the quotations.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
What is the equivalent of the below in SQL?
PHP function for MySQL:
mysqli_real_escape_string($POST['password']);
Escaping is done to prepare a SQL statement correctly. There is no equivalent in MySQL because by the time it hits that layer it should have been escaped in the first place.
Using mysqli_real_escape_string is also a sign you're doing something incorrectly as you should be using the bind_param method instead of this kind of super low-level call.