Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

how do I use mysql real escape string?

Tags:

php

mysql

The code here is still incomplete because I'm still going to ask you guys on what the proper format/syntax of using mysql escape string. Im still a beginner in php and I want to learn how to avoid sql injections. Is the code below correct? 

$con = mysql_connect("localhost","root","mypwd");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("Hospital", $con);




      $sqlque="INSERT INTO t2 (HOSPNUM, ROOMNUM, ADATE, ADTIME, LASTNAME, FIRSTNAME, MIDNAME, CSTAT, AGE, BDAY, ADDRESS, TELNUM, SEX, STAT, STAT2, STAT3, STAT4, STAT5, STAT6, STAT7, STAT8, NURSE)
      VALUES ('$_POST[hnum]', '$_POST[rnum]', '$_POST[adate]', '$_POST[adtime]', '$_POST[lname]',  '$_POST[fname]', '$_POST[mname]', '$_POST[cs]', '$_POST[age]', '$_POST[bday]', '$_POST[ad]', '$_POST[telnum]', '$_POST[sex]', '$_POST[stats1]', '$_POST[stats2]', '$_POST[stats3]', '$_POST[stats4]', '$_POST[stats5]', '$_POST[stats6]', '$_POST[stats7]', '$_POST[stats8]', '$_POST[nurse]')"; 

         mysql_real_escape_string($_POST[hnum]),
            mysql_real_escape_string($_POST[rnum]);
  mysql_real_escape_string($_POST[adate]);
like image 245
user225269 Avatar asked Jan 23 '23 12:01

user225269

2 Answers

You'll need to escape the values before you put them into the query:

$hnum = mysql_real_escape_string($_POST['hnum']);
$query = "INSERT ... VALUES('$hnum')";

If you have a lot of values, you can loop over them:

$values = $_POST;

foreach ($values as &$value) {
    $value = mysql_real_escape_string($value);
}

$query = "INSERT ... VALUES('$values[hnum]')";
like image 114
deceze Avatar answered Jan 28 '23 17:01

deceze

You're running mysql_real_escape_string on the variables AFTER inserting them into the string!

You'd want to do

   $hnum = mysql_real_escape_string($_POST[hnum]),
   $rnum = mysql_real_escape_string($_POST[rnum]);
   $adate = mysql_real_escape_string($_POST[adate]);
   $sqlque="INSERT INTO t2 (HOSPNUM, ROOMNUM, ADATE, ADTIME, LASTNAME, FIRSTNAME, MIDNAME, CSTAT, AGE, BDAY, ADDRESS, TELNUM, SEX, STAT, STAT2, STAT3, STAT4, STAT5, STAT6, STAT7, STAT8, NURSE)
  VALUES ($hnum,$rnum,$adate', //etc.

Even better, don't create SQL queries out of string substitution at all. I suggest using PDO and prepared statements/parameterized queries. A prepared statement takes care of escaping the input for you. Here's a good link with a rundown of how to use PDO instead of the mysql_* commands.

like image 21
JAL Avatar answered Jan 28 '23 18:01

JAL
Sign in to Comment

Related questions

Returning neighborhood based on address with Google geocoder/API
PHP: Instantiate class by reference?
CakePHP Model Name Uses PHP Reserved Word
duplicating the md5 raw_output flag (raw bytes) in PHP 5 with Ruby's md5
Dependency Injection simple implementation
How does wordpress password hash work?
How to show running mysql queries in php
PHP Insert into database not working
Php: creating functions in a for () loop
Escape the dot in PHP sscanf?
Web CMS Performance: pages/second (Joomla, Drupal, Plone, WP)
PHP: Using simplexml to loop through all levels of an XML file
How do I add a method to an object in PHP?
Find if node has siblings using simplexml
Determine if a string is a valid geographic location
How do you avoid forgetting to increase version number for your project? [closed]
How do I remove 'index.php' from URL in CodeIgniter?
What's a good web framework and/or tool for a software developer? [closed]
Events on PHP. Is it possible?
PHP - smart, error tolerating string comparison

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!