kylebuch8 Posted March 20, 2008 Share Posted March 20, 2008 I'm using mysql_real_escape_string() to secure user input and I'm not receiving any errors when I run the function. How can I tell that the function is working? Here is the code that I'm using: > $username = "<script>testing</script>"; $password = "kyle's test"; $conn = mysql_connect(dbhost, dbuser, dbpass); $query = sprintf("INSERT INTO Test (username, password) VALUES ('%s', '%s')", mysql_real_escape_string($username, $conn), mysql_real_escape_string($password), $conn); mysql_query($query, $conn); When I view the information in my database, the input shows exactly as it is entered in the script above. I thought that the mysql_real_escape_string() function would prevent the <script> tags from being entered. Am I wrong? I know there are other functions to strip tags from user input, but I thought the mysql_real_escape_string() function would also handle this. Any ideas, thoughts, help is appreciated. Thanks. Quote Link to comment Share on other sites More sharing options...
click Posted March 20, 2008 Share Posted March 20, 2008 No, mysql_real_escape_string() is used to guard against SQL injection attacks. It doesn't care about any HTML that may be contained in the string. Something like strip_tags() can be used to remove HTML tags (but won't escape quotes, etc. that are used in SQL injection.) Quote Link to comment Share on other sites More sharing options...
kylebuch8 Posted March 20, 2008 Author Share Posted March 20, 2008 Ok, thanks click. I'll just make sure that the input that I am accepting is limited to certain numbers and characters. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.