Problems inserting data using the "safe way to enter data into mysql using PHP"

Question

Problems inserting data using the "safe way to enter data into mysql using PHP"

I am trying to enter data using forms in MySQL as well as using mysql_real_escape_stringfor this purpose. Unfortunately, I have a problem with the exit. It displays \s, or if I use stripslashes, then it removes all slashes.

If I send web forms using backslash \, I get this output:

"web\ forms using backslash \\"

I have a double backslash. But if I use the function stripslashes, then it deletes all slashes, but also deletes the entered slash, and the output is

"web forms using backslash"

The backslash is not displayed here, but there must be one backslash at the end.

The problem is that if someone uses a backslash in the password field and any other filed one, then the backslash will be deleted or displayed twice. Also, please tell me what is the best way to display the output of htmlentities or htmlspecialchars

0

php mysql mysql-real-escape-string html-entities stripslashes

Imran hussain Jan 17 '11 at 5:55

source share

3 answers

Sarfraz · Answer 1 · 2011-01-17T05:58:30+0000

You have magical quotes included . You need to completely disable them, as they are not good from a security point of view.

Install them in offfrom php.ini (preferred):

; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

Or you can disable them at runtime:

if (get_magic_quotes_gpc())
{
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process))
    {
        foreach ($val as $k => $v)
        {
            unset($process[$key][$k]);
            if (is_array($v))
            {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            }
            else
            {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}

dkretz · Answer 2 · 2011-01-17T06:00:22+0000

mysqli . , .

mysqli ?

mysql , ?

Alfred · Answer 3 · 2011-01-17T07:10:36+0000

mysql

" mysql PHP"

PDO ( ), , (mysql_real_escape_string, etc). PHP PDO , .

, - , . , , , htmlentities htmlspecialchars.

- . , PHP Rasmus Ledorf. http://talks.php.net/ , , .

Problems inserting data using the "safe way to enter data into mysql using PHP"

mysql

More articles: