Surpass Web Hosting Forums - View Single Post

gmax21 · June 30th, 2008, 1:26 AM

Hmm I had a quick look, it seems ok but it might be worth others checking it over also.

PHP: mysql_real_escape_string - Manual

I would however suggest you look into using the sprintf function also.

PHP: sprintf - Manual

Is this your code or is it all from: PHP Freaks - Index

When I code I tend to go OO (Object Orientated) and make functions within a class of the MySQL stuff which makes it clearer in my mind for checking it's been done right.

Personally myself I would of used sprintf and mysql_real_escape_string within the mysql function to ensure it doesn't get some unexpected data.

An example is on the above web link, but I'll post it here also:

Code:

        // Make a safe query
        $query = sprintf("INSERT INTO products (`name`, `description`, `user_id`) VALUES ('%s', '%s', %d)",
                    mysql_real_escape_string($product_name, $link),
                    mysql_real_escape_string($product_description, $link),
                    $_POST['user_id']);

I never originally looked at the image, but now I have I'm not entirely sure what's wrong?

I presume the wphone and cphone should be numbers, if you want the code to check it and make sure it's only numbers then consider using some regex code (I prefer Preg personally).

Sorry I've not been more help.

June 30th, 2008, 1:26 AM	#4 (permalink)
gmax21 Registered User Seasoned Poster Joined in Jun 2008 Lives in UK 68 posts Gave thanks: 5 Thanked 8 times	Hmm I had a quick look, it seems ok but it might be worth others checking it over also. PHP: mysql_real_escape_string - Manual I would however suggest you look into using the sprintf function also. PHP: sprintf - Manual Is this your code or is it all from: PHP Freaks - Index When I code I tend to go OO (Object Orientated) and make functions within a class of the MySQL stuff which makes it clearer in my mind for checking it's been done right. Personally myself I would of used sprintf and mysql_real_escape_string within the mysql function to ensure it doesn't get some unexpected data. An example is on the above web link, but I'll post it here also: Code: // Make a safe query $query = sprintf("INSERT INTO products (`name`, `description`, `user_id`) VALUES ('%s', '%s', %d)", mysql_real_escape_string($product_name, $link), mysql_real_escape_string($product_description, $link), $_POST['user_id']); I never originally looked at the image, but now I have I'm not entirely sure what's wrong? I presume the wphone and cphone should be numbers, if you want the code to check it and make sure it's only numbers then consider using some regex code (I prefer Preg personally). Sorry I've not been more help.