Jump to content

Mysql_real_escape_string Help


Recommended Posts

I'm using mysql_real_escape_string() to secure user input and I'm not receiving any errors when I run the function. How can I tell that the function is working? Here is the code that I'm using:


>		$username = "<script>testing</script>";
	$password = "kyle's test";	
	$conn = mysql_connect(dbhost, dbuser, dbpass);	
	$query = sprintf("INSERT INTO Test (username, password) VALUES ('%s', '%s')",
                   mysql_real_escape_string($username, $conn),
                   mysql_real_escape_string($password), $conn);

       mysql_query($query, $conn);


When I view the information in my database, the input shows exactly as it is entered in the script above. I thought that the mysql_real_escape_string() function would prevent the <script> tags from being entered. Am I wrong?


I know there are other functions to strip tags from user input, but I thought the mysql_real_escape_string() function would also handle this.


Any ideas, thoughts, help is appreciated. Thanks.

Link to comment
Share on other sites

No, mysql_real_escape_string() is used to guard against SQL injection attacks. It doesn't care about any HTML that may be contained in the string. Something like strip_tags() can be used to remove HTML tags (but won't escape quotes, etc. that are used in SQL injection.)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...