Jump to content
Larry Ullman's Book Forums

Mysqli_Real_Escape_String() Vs Escape_Data() Function


Recommended Posts

The virtual app code assumes Magic Quotes is disabled and uses mysqli_real_escape_string() directly...but my host provider has Magic Quotes enabled, so for that environment should I replace every mysqli_real_escape_string() statement with the 'escape_data()' function defined in 'mysql.inc.php'?

For the IPN listener, if modified to process other fields, how would $_POST['payment_date'] be made safe to use in a query, or is it necessary for dates?

Also for the IPN listener, is there a way to run the entire $_POST[] array from PayPal at once (i.e. something like 'escape_data($_POST[])', or each individual value you want to retain should be handled individually?

Link to comment
Share on other sites

Yes, using escape_data() sounds like a good plan for you.

 

$_POST['payment_date'] can be made safe by running it through an escaping function, applying regular expressions, or using prepared statements. In theory, dates are safe, but that's assuming it's a date value you're provided with and not something malicious. 

 

You can use the array_map() function to apply a function to an entire array. It does not work on multidimensional arrays, however.

Link to comment
Share on other sites

In ecommerce1, shouldn't we be using escape_data() instead of mysqli_real_escape_string() when checking forms anyway?

Do we not want to be trimming the data off form fields like escape_data() does or at least adding trim to all the checks of the form fields  in say register.php?

 

Or if there is a reason we don't want to trim data off a particualr field, can we not add an else clause to escape_data() that matches the fields we dont want trimmed then returns an untrimmed version of the data?  then that way making use of escape_data() in the application

 

Regards,

 

Rob

Link to comment
Share on other sites

If I recall correctly, I defined escape_data() and then mistakenly didn't use it (this is on the errata page, I believe). So, yes, you'd want to use escape_data(). It's not the biggest issue one way or the other but...

Link to comment
Share on other sites

 Share

×
×
  • Create New...