PDA

View Full Version : using dreamweaver mx 2004 7.1 should I use mysql_real_escape_string


nanny
11-08-2007, 10:49 PM
Hi I have been reading so much about mysql_real_escape_string and am confused as to whether have my php 5 with magic quotes enabled or not and to use this escaping or not? With php4 I had magic quotes enabled.

Reading php.net has not said whether it is best practice to have magic quotes enabled or not. I have also read where you shouldn't use say:

if (!empty($classbusinessname) && !empty($tel)) {
$searchinfo = "SELECT DISTINCT classbusinessname, tel, paystatus FROM listing WHERE paystatus='" . paid . "' AND classbusinessname='" . $classbusinessname . "' AND tel='" . $tel . "'";


I am using this to start a session once the users details match so that they can send me a contact form with edit details for their listing.

At the top of the page is the session start

session_start();
$_SESSION['classbusinessname'] = $_POST['classbusinessname'];


Thanks I need to get my head around this as I have also read mysql_real_escape_string has problems with numeric showing 0 as not empty, are there any other problems with it?

But if I have magic quotes enabled and using striplashes on showing mysql data - do I need mysql_real_escape_string?

Confused!

davidj
11-09-2007, 07:29 AM
this is a good question

to be honest i usually strip any illegal chars from my strings but have never utilised these built in functions to their max. Its food for thought though.

i would use the mysql_real_escape_string as apposed to the strip_slashes