Problems in inserting data using "safe way to input data to mysql using PHP"

Asked 17/1, 2011 at 5:55 Answered 17/1, 2011 at 7:10

php mysql mysql-real-escape-string html-entities stripslashes

I am trying to input data using forms into the MySQL, and also using mysql_real_escape_string for this purpose. Unfortunately I am having a problem with the output. It displays \s, or if I use stripslashes then it removes all slashes.

If I submit web's forms using backslash \ I get this output:

"web\'s forms using backslash \\"

See I got a double backslash. But if I use the stripslashes function then it removes all slashes but also removes inputed slash and the output is

"web's forms using backslash"

Here, no backslash is displayed, but there should be one backslash at the end.

The problem is that if someone uses backslash in password field and any other filed, then the backslash will be stripped or displayed twice.And also please tell me what is best for displaying output htmlentities or htmlspecialchars

Strata answered 17/1, 2011 at 5:55 Comment(0)

You have magic quotes turned on. You need to disable them altogether as they are not good in terms of security.

Set them to off from php.ini (preferred):

; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

Or you can disable them at runtime:

if (get_magic_quotes_gpc())
{
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process))
    {
        foreach ($val as $k => $v)
        {
            unset($process[$key][$k]);
            if (is_array($v))
            {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            }
            else
            {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}

Fer answered 17/1, 2011 at 5:58 Comment(0)

Use the mysqli library and Prepared Statements. Then all characters go in as data and you don't need to mess with all this stuff.

What characters are NOT escaped with a mysqli prepared statement?

Why is using a mysql prepared statement more secure than using the common escape functions?

Dunson answered 17/1, 2011 at 6:0 Comment(3)

This answer has not a slightest relation to the OP's problem and should be a comment – Occidentalize 17/1, 2011 at 6:9

Sorry if I wasn't clear enough. If you don't need the backslashes in the first place, you don't need to worry about them coming back. – Dunson 17/1, 2011 at 6:12

You wasn't sorry enough. Again: This answer has not a slightest relation to the OP's problem. Care to read the question before writing an answer? – Occidentalize 17/1, 2011 at 8:25

Safe way to input data to mysql

Problems in inserting data using “safe way to input data to mysql using PHP”

You should use PDO(new improved way) prepared statement which are safer and faster then there predecessors(mysql_real_escape_string, etc). Why you Should be using PHP’s PDO for Database Access goes into deeper details.

Displaying output

The problem is that if someone uses backslash in password field and any other filed, then the backslash will be stripped or displayed twice.And also please tell me what is best for displaying output htmlentities or htmlspecialchars.

The new and improved way is to use filter. In particular I would advise you to read all these Performance and Security slides from PHP creator Rasmus Ledorf. http://talks.php.net/ has a lot of good slides in general which you should have a look at.

Wed answered 17/1, 2011 at 7:10 Comment(4)

Another pointless answer that should be a comment, as it will solve not the OP's problem, but being just a side note. Why none of you ever care to READ the question? Or, AT LEAST, previous answers? – Occidentalize 17/1, 2011 at 8:27

You might be a little bit right about that, but does it really deserve downvoting? Sometimes I think people get kick out downvoting.... – Wed 17/1, 2011 at 8:32

yes, it does. just because you still do not understand the question and answered not a friggin bit of it – Occidentalize 17/1, 2011 at 9:12

The tittle says :"Problems in inserting data using “safe way to input data to mysql using PHP”" => PDO is the way to insert data into mysql safely, so please explain what I answered incorrect?? If I provide the wrong answer why don't give the right answer instead, instead of down-voting me. I think my answer is pretty good! – Wed 17/1, 2011 at 9:26

Safe way to input data to mysql

Displaying output

Recommended topics

Hot tags