Jump to content

Mysql Real Escape

ajicles

By ajicles
in PHP Coding Help

 Share

Recommended Posts

ajicles Member

ajicles

Posted
Posted

Hello I am having a problem trying to write to a database using mysql real escape so there wont be any injection attacks. I trying using myrealescape and it returns errors:

Notice: Use of undefined constant messageTo - assumed 'messageTo' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17

Notice: Use of undefined constant messageSubject - assumed 'messageSubject' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17

Notice: Use of undefined constant messageBody - assumed 'messageBody' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17

 

I add in the single quotes and it doesn't write either. Dreamweaver says that either single quotes or not there is no syntax errors.

 

What going on? I have used it like this before: ('$ID','" . mysql_real_escape_string($_POST[post_content]) . "') and no problems..

 

~AJ

 

 

<?php 
require_once('connect.php');

if(isset($_COOKIE['user'])){}else{
header( 'Location: members.php');
}

if (isset($_POST['sendBtn'])){

$messageFrom = $_COOKIE['user'];
$messageTo = $_POST['messageTo'];
$hash = $messageTo.$messageFrom.time();
$hash = md5($hash);

mysql_select_db("majik");

$sql="INSERT INTO messagesystem(ID, hash, messageTo, messageFrom, messageSubject, messageBody, messageDate, messageRead, messageDelete) VALUES ('','$hash','" . mysql_real_escape_string($_POST['messageTo']) . "','$messageFrom','" . mysql_real_escape_string($_POST['messageSubject']) . "','" . mysql_real_escape_string($_POST['messageBody']) . "','0','0')";

echo '<center>Your message was sent to: '.$messageTo.'</center>';


}


?>

Link to comment
Share on other sites
micah1701 Member

micah1701

Posted
Posted

also, mysql_real_escape_string() only works inside the mysql_query(). 

so doing

this wont work:

$sql = "INSERT INTO table (col1) VALUES ('".mysql_real_escape_string("my text")."'";
mysql_query($sql);

but this will:

mysql_query("INSERT INTO table (col1) VALUES ('".mysql_real_escape_string("my text")."')");

 

 

someone correct me if i'm wrong

Link to comment
Share on other sites
Alex Advanced Member

Alex

Posted
Posted

also, mysql_real_escape_string() only works inside the mysql_query(). 

so doing

this wont work:

$sql = "INSERT INTO table (col1) VALUES ('".mysql_real_escape_string("my text")."'";
mysql_query($sql);

but this will:

mysql_query("INSERT INTO table (col1) VALUES ('".mysql_real_escape_string("my text")."')");

 

 

someone correct me if i'm wrong

You're wrong.
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.