TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   Advanced PHP Programming (http://www.talkphp.com/advanced-php-programming/)
-   -   escape strings (http://www.talkphp.com/advanced-php-programming/3515-escape-strings.html)

9three 10-23-2008 06:12 PM
escape strings
 
I'm setting up a client log in system and im trying to escape strings so that special characters dont create an error. But I know im doing it wrong, and the manual isn't really helping

PHP Code:
$query "SELECT url FROM authorized_clients
          WHERE name = '$name' AND password = '$password'"$cnx->escape_string($clientID); 
the $cnx->escape_string($clientID) part. I don't even know if I'm putting it in the right place.

edit:

this is the part where i define $cnx and clientID
PHP Code:
session_start();
if (isset($_SESSION['clientID'])){

$clientID = (Integer)$_SESSION['clientID'];

//Connect to MySQL
$cnx mysqli_connect('localhost''username''password');
if (!cnx){
    exit('<p>Error: Unable to connect to MySQL');

ReSpawN 10-23-2008 11:06 PM
Well, first of all, name your variables better. ;-) If you're going to look back at your clients code after 2 projects and 3 months ... you MUST know what it all means. So, instead of $cnx I would name it $connectionID or $connID.

The part you are trying to solve, I guess, is the query part.

$cnx-> indicates that it is an object, which I don't see created anywere. (using __construct, autoload or even new className)

The thing you want, is to escape the function with, lets say, addslashes or mysql_real_escape_string();

printf and sprinf is what you should be using. printf imidiatly displays the string and sprintf just makes is whole.

PHP Code:
sprintf'SELECT `url` FROM `authorized_clients` WHERE `name` = "%s" AND `password` = "%s" LIMIT 1'escapeValue($name), escapeValue($password) ); 
In this case, you would create a function named escapeValue() and that filters and ONLY returns the escaped value. Since you won't have to do this on a password (it being a salt with a string, hashed by md5, sha1, both or even base64_encode (d :-P)), you should also make a value to encrypt the password.

codefreek 10-24-2008 12:07 AM
Not to be a flamer but yeah the variable names :P
i would use printf in this case.


All times are GMT. The time now is 12:01 AM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0