All Questions
Tagged with mysql-real-escape-string security
19 questions
2
votes
1
answer
2k
views
How to detect if a string contains PHP code? PHP
I am keeping record of every request made to my website. I am very aware of the security measurements that need to be taken before executing any MySQL query that contains data coming from query ...
- 9,726
0
votes
2
answers
546
views
Where should I place mysql_real_escape_string? [closed]
What's the best way to use mysql_real_escape_string, is it at the beginning like this:
$email = mysql_real_escape_string($_POST['email']);
$qemail = mysql_query ("SELECT email FROM ppl WHERE email='$...
- 177
0
votes
2
answers
2k
views
PHP: htmlspecialchars & real escape string & quote
I'm programming in PHP5 now, using PDO, not using prepared statements but just "normal" query's like:
$oQuery = $oDatabase->query(
"SELECT
Content
FROM
CMS
WHERE
Title = '". $...
- 11
1
vote
1
answer
116
views
Why do so many password tutorials, after hashing a password, use "mysql_real_escape_string"?
I don't see the need, when the input is taken as a string and hashed. Wouldn't hashing it effectively, well, sanitize the input? It seems like a waste of about a couple hundred CPU cycles, not ...
- 147
1
vote
1
answer
247
views
using mysql_real_escape_string in blind code
I have a client which has very large amount of code on its production server, now we are securing this server.
They have SQL vulnerability is there code, so we are adding
these commands in the ...
- 481
-2
votes
5
answers
7k
views
mysql_real_escape_string Not Working with '
I have a form processed with PHP. It contains a field for Notes about the client job.
The problem is that if there is a ' within in the notes - such as it's, O'Reilly, that's etc, it escapes the ...
- 37
-1
votes
2
answers
3k
views
get_magic_quotes_gpc() and mysql_real_escape_string - security
i am practicing php and I am puzzled while interpreting a function to escape dangerous sql characters. i want to know how it works especially the $value in the second if. its quiet puzzling for me to ...
- 29
-2
votes
3
answers
85
views
How people can use this security hole?
I have browser game. There is message send form.
I didn't make real escape string function to the "message_content" variable.
There is any option, that the user could make after the insert of the ...
0
votes
3
answers
2k
views
foreach loop causing POST to be NULL mysql_real_escape_string
This is a small segment, that is built using PHP and database for for simplicity and testing purposed, here is a text example.
The idea is the form will submit, then PHP will handle results. However ...
- 351
0
votes
1
answer
104
views
Is this the right way to escape multiple fields?
I had just hired someone to do a secure form and pasted below is just a snippet of a large code:
$_POST = escape_all($_POST);
$some1 = $_POST['some1'];
$some2 = $_POST['...
- 3,168
-2
votes
3
answers
180
views
My function vs Mysql_real_escape_string
I have sessions that for the website and this is how i use them:
$username = CleanMe($_SESSION["username"]);
$password = CleanMe($_SESSION["password"]);
//return clean values
$_SESSION["...
- 3,168
2
votes
2
answers
600
views
SQL injections from remote file
I have a file, "submit.php", which writes a series of values submitted from a previous form in "choose-product.php" to a MySQL database. I've used mysql_real_escape_string as suggested in a previous ...
- 117
1
vote
5
answers
140
views
Launching a website with injeciton protection
I am a new php "developer" and a new member of the SOF site. I am launching a website for the first time and in my online research I have been told that while PHP might be easy at the surface the most ...
- 2,477
2
votes
2
answers
12k
views
Using mysql_real_escape_string with PDO (no connection to localhost server)
So I'm fairly paranoid and use mysql_real_escape_string() with PDO. I actually don't use prepared statements in PDO, so I do have to sanitize the inputs.
When hosting on my own server, I'd create an ...
- 26.2k
0
votes
2
answers
313
views
Should I still escape? $_GET and XSS, SQL Injection and other PHP Security Concerns
If I am retrieving data with $_GET from the URL string and not displaying that data back on a webpage or doing any SQL actions with it, should I still consider using escape, regular expression and ...
- 43