mysql_real_escape_string()

[sofia403]

Hi, just wondering do i need to use mysql_real_escape_string() on login information (username and password). I use it as shown below but get an error when connecting.

 

if(isset($_POST['submit'])){
if( empty($_POST['uname']) && (empty($_POST['upass']))){
header( "Location:Messages.php?msg=1" ); 
exit();
}

$n=mysql_real_escape_string($_POST['uname']);
$p=mysql_real_escape_string($_POST['upass']);

include('config.php');
$query="select * from country where uname='$n'  and pw='$p'";
$result=mysql_query($query);

[Pikachu2000]

Yes, it should be used on any and all string type data being used in a DB query. If your database connection is in your config.php file, you'll need to make sure it gets included before you try to use mysql_real_escape_string().

 

When you post a question and it involves an error message, it's usually helpful to also post the error, BTW.

[sofia403]

ok, sorry my error was

 

access denied for user with password "NO" or something of that nature.

 

My config.php was after mysql_real_escape_string() i moved it to the top and it works now, thanks!

 

Also i was wondering, probably a silly question, but anyways, if i have a selection form where users select predefined values, then i dont need mysql_real_escape_string() is that right? :S

 

[Pikachu2000]

Don't make the mistake of thinking that <select> and other fields with a "limited" number of options don't need to be validated and sanitized. It doesn't take anything for a malicious user to make their own form and use it to submit values to your script.

[sofia403]

oh wow, thanks i guess i have some work to do.

[PFMaBiSmAd]

ALL external data can be set to anything, cannot be trusted, and must be validated to make it safe for use by your code - $_POST, $_GET, $_COOKIE, $_FILES, and some $_SERVER variables.

[sofia403]

Thank you, i really appreciate your comments on that!