astralaaron Posted May 10, 2007 Share Posted May 10, 2007 is it a good idea to ALWAYS use mysql_escape_string? or is it mysql_real_escape_string?? i cannot rememberhere in this code it is posting a new topic on my forum - should all of those $_post['']; variables have the mysql_escape_string when I INSERT theM?? <?phpinclude('safe.php');// Connect to server and select database.mysql_connect("localhost", "root", "*********")or die("cannot connect"); mysql_select_db("vikingbjj")or die("cannot select DB");// get data that sent from form $topic=safe($_POST['topic']);$detail=safe($_POST['detail']);$name=$_POST['name'];$email=$_POST['email'];$main = ($_GET[main]);if ($main < 1) $main = 1;$datetime=date("d/m/y h:i:s"); //create date time$sql="INSERT INTO instructor_question(topic, detail, name, email, datetime)VALUES('$topic', '$detail', '$name', '$email', '$datetime')";$result=mysql_query($sql);if($result){$query = "UPDATE members SET posts = posts + 1 WHERE user = '$name'";mysql_query( $query )or die("cannot update");header("location:http://localhost/vikingbjj/private/instructors.php?main=$main");}else {echo "ERROR";}mysql_close();?> Link to comment Share on other sites More sharing options...
zppblood Posted May 11, 2007 Share Posted May 11, 2007 I would use mysql_real_escape_string, htmlentities, and trim. Link to comment Share on other sites More sharing options...
justsomeguy Posted May 11, 2007 Share Posted May 11, 2007 It depends if the data is text or numeric. For text data you want to use mysql_real_escape_string, for numeric data you want to cast it as a number using either intval or floatval, depending if the number should be an integer or a float. Link to comment Share on other sites More sharing options...
astralaaron Posted May 12, 2007 Author Share Posted May 12, 2007 It depends if the data is text or numeric. For text data you want to use mysql_real_escape_string, for numeric data you want to cast it as a number using either intval or floatval, depending if the number should be an integer or a float.but you should ALWAYS do this when entering anything into DB from a $_POST or $_GET, correct?by the way can you explain a float to me please? Link to comment Share on other sites More sharing options...
justsomeguy Posted May 12, 2007 Share Posted May 12, 2007 From $_POST, $_GET, or $_COOKIE. A floating point number is a number with a decimal point and a fraction. An integer is a whole number. Link to comment Share on other sites More sharing options...
astralaaron Posted May 12, 2007 Author Share Posted May 12, 2007 From $_POST, $_GET, or $_COOKIE. A floating point number is a number with a decimal point and a fraction. An integer is a whole number.ahh this makes perfect sence now! thanks Link to comment Share on other sites More sharing options...
Anders Moen Posted May 13, 2007 Share Posted May 13, 2007 And just one more thing: If you didn't notice it's not called "mysql_escape_string" but "mysql_real_escape_string"Good luck Link to comment Share on other sites More sharing options...
zppblood Posted May 13, 2007 Share Posted May 13, 2007 And just one more thing: If you didn't notice it's not called "mysql_escape_string" but "mysql_real_escape_string"Good luck http://us2.php.net/manual/en/function.mysq...cape-string.php Link to comment Share on other sites More sharing options...
Anders Moen Posted May 14, 2007 Share Posted May 14, 2007 Ah, okay then. Didn't know there was one so similiar. Then I learned something too Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.