mysql - working - What do I need to escape when sending a query?




php escape string (4)

When you execute a SQL query, you have to clean your strings or users can execute malicious SQL on your website.

I usually just have a function escape_string(blah), which:

  • Replaces escapes (\) with double escapes (\\).
  • Replaces single quotes (') with an escaped single quote (\').

Is this adequate? Is there a hole in my code? Is there a library which can do this quickly and reliably for me?

I'd like to see graceful solutions in Perl, Java, and PHP.


A great thing to use in PHP is the PDO. It takes a lot of the guesswork out of dealing with securing your SQL (and all of your SQL stuff in general). It supports prepared statements, which go a long way towards thwarting SQL Injection Attacks.

A great primer on PDO is included in the book The PHP Anthology 101 Essential Tips, Tricks & Hacks by Davey Shafik etc. 2nd Ed. Makes learning a breeze and is excellent as a reference. I don't even have to think about anything other than the actual SQL Query anymore.



Your list page or your main page is the index_2.php and your update_2.php is where the Click here to go back button is located.

Summary:

index_2.php

  • List of data
  • Also where the form is

update_2.php

  • where the Click here to go back button is located

When the data is submitted from your index_2.php, it will go to update_2.php, but does nothing but offers only the back button.

The only time the UPDATE query will run is when the user clicks the Click here to go back button.

SOLUTION:

  • Put your UPDATE query in your update_2.php
  • Use the header() function to redirect the user back to index_2.php after the query

Sample Code:

index_2.php:

<form action="update_2.php" method="POST">

  <!-- INSERT HERE YOUR INPUT FIELDS -->
  <input type="submit" name="submit">
</form>

update_2.php:

<?php

  if(isset($_POST["submit"])){

    /* INSERT HERE YOUR UPDATE QUERIES */
    header("LOCATION:index_2.php"); /* REDIRECT USER BACK TO index_2.php */

  } /* END OF ISSET SUBMIT */

?>

Twice page refresh is needed to get the input data from MySQL database

From my perspective:

  1. Put all the input tags inside of form tag that uses action="" (to the same URL)

OR

  1. Process the request with AJAX. When clicked on anchor a use onclick then define the listener function that makes the AJAX call and updates the input fieldS on successful response (parse the response accordingly). See using JS or jQuery

Also, it would be better if you escape the query input values. For MySQL see some posts here, here and here.





security