Member Avatar for aaloo

this is my code in which i am getting $_POST from a html form.i am using mysql_real_escape_string function that should escape characters like these

\x00
\n
\r
\
'
"
\x1a

but when i enter these special characters in the form .it is going in the database. it should be escaped .i dont why it is happening . please somebody help me !!!!!

<?php
$con = mysql_connect("localhost","","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("finalcomments", $con);

unset($name);
if(isset($_POST['name']))
{
$_POST['name'] = trim($_POST['name']);
$name = mysql_real_escape_string($_POST['name']);
}

$sql="INSERT INTO $title(name) VALUES 

('$name')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
 echo "Your Comment Will be Reviewed";
mysql_close($con);
?>
}
Edited by aaloo because: n/a
  • 2 Contributors
  • 19 Replies
  • 188 Views
  • 8 Hours Discussion Span
  • Latest Post Latest Post by pritaeas
Member Avatar for pritaeas

"mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a."

Do you want them removed ? Just replace them with str_replace .

Edited by pritaeas because: n/a
Member Avatar for aaloo

Sorry i didnt understand you .my english is not so good. All i want to say is when i enter \n in html form , its going to the database but it should be escaped. why it is going to the database ???????

Edited by aaloo because: n/a
Member Avatar for pritaeas

If you see '\n' in the database, that means it is escaped.

Member Avatar for aaloo

it will not cause sql injection , right ??

Member Avatar for pritaeas

Nope. But I doubt you want those in a name, so I suggest removing them entirely.

Member Avatar for aaloo

what i understand from "escaping" is ,\n would be deleted whenever i enter \n in the form , isnt it??

Member Avatar for pritaeas

It isn't.

Member Avatar for aaloo

then what does really mean by this sentence "mysql_real_escape_string() escape those characters " ??

Member Avatar for pritaeas

It makes them ready to be entered correctly into the database.

Member Avatar for aaloo

i still dont understand what this function actually do , is it improve the security or not ??

Member Avatar for pritaeas

Yes it does. It escapes a tab character so it is inserted correctly. Otherwise the query could fail. If you want to improve your security, it is wiser to remove them altogether.

Member Avatar for aaloo

so u r saying that in mysql query \n will not be processed , right ?? like, if i enter "aaloo \njack" , mysql query will read it as "aaloo jack" ,\n is escaped , right??
?

Member Avatar for pritaeas

Escaped yes, removed no. Just see what it outputs if you read it back from the database.

Member Avatar for aaloo

yeah i got it , it is sending \n directly to the database without being processed in the query, right ?

Member Avatar for pritaeas

Right.

Member Avatar for aaloo

thanks man , it was nice to talk with you

Member Avatar for pritaeas

Please, consider to mark this thread solved.

Member Avatar for aaloo

ok , i was waiting for your "byee"

Member Avatar for pritaeas

Am not that social :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.