PHP - Php Mysql_real_escape_string And Xampp

Hi, just wondering do i need to use mysql_real_escape_string() on login information (username and password). I use it as shown below but get an error when connecting.

Code: [Select]
if(isset($_POST['submit'])){
if( empty($_POST['uname']) && (empty($_POST['upass']))){
header( "Location:Messages.php?msg=1" );
exit();
}

$n=mysql_real_escape_string($_POST['uname']);
$p=mysql_real_escape_string($_POST['upass']);

include('config.php');
$query="select * from country where uname='$n'  and pw='$p'";
$result=mysql_query($query);

Hello All,

Wondering if someone can help.  I have a piece of code which I use on all data I post to my database which uses mysql_real_escape_string on all my forms for security purposes that I found on t'internet:


if(!get_magic_quotes_gpc()){
$_GET = array_map('mysql_real_escape_string', $_GET);
$_POST = array_map('mysql_real_escape_string', $_POST);
$_REQUEST = array_map('mysql_real_escape_string', $_REQUEST);
$_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
} 


However, ever since i've installed this i'm having problems with other elements, such as deleting records from a MYSQL database like so:


<?php
$msg = "";
if(isset($_POST['Submit'])){
    $total = $_POST['total'];
    $news_ids = $_POST['nws_id'];
    foreach($news_ids as $id){
        mysql_query("DELETE FROM news WHERE news_id='$id'");
    }
$msg = count($news_ids) . " News Item(s) deleted!";
}
$result = mysql_query("SELECT *, DATE_FORMAT(published, '%d-%m-%Y') as formatted_date from news order by news_id desc;");
$num = mysql_num_rows($result);
$n = 0;
?>


Yet if I delete the piece of code above code it works fine, but I don't understand why the above code effects this?  Anyone plese help me understand?

Thanks

Is it correct to use mysql_real_escape_string() function on every query that i wonna insert or search ?
I have fields like TEXT(dectription of article), VARCHAR(name of article) and more like that, and is there correct to use mysql_real_escape_string for all fields when query is INSERT  ?

I just red few tutorials about  mysql_real_escape_string. Could someone check if this is correct?

<?php
$conn = mysql_connect("localhost","myusername","thepassword1");
mysql_select_db("mydataB", $db);

$result = mysql_query("SELECT * FROM applicant WHERE username = '$username'");

if (mysql_num_rows ($result) > 0){
$register = "&err=Not Available.";
echo($register);
} else {
$username = mysql_real_escape_string($_POST['username'], $db);
$password = mysql_real_escape_string($_POST['password'], $db);
$name = mysql_real_escape_string($_POST['name'], $db);
$email = mysql_real_escape_string($_POST['email'], $db);
$id = mysql_real_escape_string($_POST['id'], $db);

mysql_query("INSERT INTO applicant (username, password, name, email, id) VALUES ('$username', '$password', '$name', '$email', '$id')");
$register = "Successful.";
echo($register);
}
?>

Good morning,   I am trying to implement a simple sanitization of data before inserting in my database and am having a little trouble due to the fact that I am using a third party script that is accessing posted variables in a way that is unfamiliar to me... here's the data. The problem area is red. The form simply hangs up when submitted.  I have used this method in the past, but not with an object operator.    // insert into database

Hello and thanks in advance for the input.  I a fully functioning form.  I am validating the input and successfully inserting the input into the mysql database.  Now I am trying to escape the data by adding the basic line of code:

$name = mysql_real_escape_string($_POST['name']);

The input is successful but the mysql_database for name field is empty.  If I remove the above line of code and just input the value for $name (without escape) the update works great.  So the question is obvious for the above.  Why?

Code: [Select]
$update = "UPDATE model SET name = '$name', age = '$age', height = '" . mysql_real_escape_string($height) . "', hair = '$hair', bust = '$bust', waist = '$waist', hips = '$hips' ......... WHERE id = '$id' ";
$rsUpdate = mysql_query($update);
After reading the manual at php.net on this function, I should be inserting the mysql_real_escape_string for each variable, correct? Right now I just have it for $height. The reason I'm asking is because I have 28 columns in this table and want to make sure I'm using this function properly as it seems like a tedious process and messy code.

This topic has been moved to PHP Installation & Configuration.

http://www.phpfreaks.com/forums/index.php?topic=334216.0

This topic has been moved to Miscellaneous.

http://www.phpfreaks.com/forums/index.php?topic=348673.0

Please help. I am running xampp for windows - it contains apache, ssl, php, mysql. I am unable to generate  a key/cert via php even though everything is apparently set up and running correctly. I ran a script and it said the following

Quote

Warning: openssl_csr_sign() [function.openssl-csr-sign]: cannot get CSR from parameter 1 in C:\xampp\htdocs\cert.php on line 31

Warning: openssl_csr_export() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\cert.php on line 40

Warning: openssl_x509_export() [function.openssl-x509-export]: cannot get cert from parameter 1 in C:\xampp\htdocs\cert.php on line 41

Warning: openssl_pkey_export() [function.openssl-pkey-export]: cannot get key from parameter 1 in C:\xampp\htdocs\cert.php on line 42

error:02001003:system library:fopen:No such process error:2006D080:BIO routines:BIO_new_file:no such file error:0E064002:configuration file routines:CONF_load:system lib error:02001003:system library:fopen:No such process error:2006D080:BIO routines:BIO_new_file:no such file error:0E064002:configuration file routines:CONF_load:system lib error:02001003:system library:fopen:No such process error:2006D080:BIO routines:BIO_new_file:no such file error:0E064002:configuration file routines:CONF_load:system lib error:02001003:system library:fopen:No such process error:2006D080:BIO routines:BIO_new_file:no such file error:0E064002:configuration file routines:CONF_load:system lib




cert.php
<?php
$configargs = array(
    'config' => '../apache/bin/openssl.cnf',
    'digest_alg' => 'md5',
    'x509_extensions' => 'v3_ca',
    'req_extensions'   => 'v3_req',
    'private_key_bits' => 666,
    'private_key_type' => OPENSSL_KEYTYPE_RSA,
    'encrypt_key' => false,
    );

$dn = array(
    "countryName" => "IE",
    "stateOrProvinceName" => "cork",
    "localityName" => "cork",
    "organizationName" => "org",
    "organizationalUnitName" => "Organizational Unit Name",
    "commonName" => "example.com",
    "emailAddress" => "Email Address"
);

// Generate a new private (and public) key pair
$privkey = openssl_pkey_new($configargs);

// Generate a certificate signing request
$csr = openssl_csr_new($dn, $privkey);

// You will usually want to create a self-signed certificate at this
// point until your CA fulfills your request.
// This creates a self-signed cert that is valid for 365 days
$sscert = openssl_csr_sign($csr, null, $privkey, 365);

// Now you will want to preserve your private key, CSR and self-signed
// cert so that they can be installed into your web server, mail server
// or mail client (depending on the intended use of the certificate).
// This example shows how to get those things into variables, but you
// can also store them directly into files.
// Typically, you will send the CSR on to your CA who will then issue
// you with the "real" certificate.
openssl_csr_export($csr, $csrout) and var_dump($csrout);
openssl_x509_export($sscert, $certout) and var_dump($certout);
openssl_pkey_export($privkey, $pkeyout, "mypassword") and var_dump($pkeyout);

// Show any errors that occurred here
while (($e = openssl_error_string()) !== false) {
    echo $e . "\n";
}
?>

Hi, I have an HTML Area on an admin section of my site. The HTML gets submitted to a MySQL database, but gets parsed using mysql_real_escape_string. The problem i have just noticed, is that upon every edit, it gets parsed again, and again.

Here is the code:


Code: [Select]
$updatequery = "UPDATE zen_blog SET content = '" . mysql_real_escape_string($htmlcontent) . "', active=$activate WHERE id = $updateid";
$doupdate = $db->Execute($updatequery);
Here is the result:

Quote

<h2 class=\\"\\\\\\"\\\\\\\\\\\\\\"page_title\\\\\\\\\\\\\\"\\\\\\"\\">


Is it possible to only use it where its needed?

Thanks!

Joe

I am trying to insert variables into a database, some of which potentially could hold apostrophes.
I know about mysql_real_escape_string so I generate this sql statement:
Code: [Select]
$sql = ("INSERT INTO $fcbk_id (PredictedAt, HomeTeam, AwayTeam, HomePrediction, AwayPrediction, GameKey)
VALUES ('".mysql_real_escape_string($date_now)."', '".mysql_real_escape_string($HomeTeam)."',
'".mysql_real_escape_string($AwayTeam)."', '".mysql_real_escape_string($HomeScore)."',
'".mysql_real_escape_string($AwayScore)."', '".mysql_real_escape_string($GameKey)."')");
It dont get any errors, even with this:
Code: [Select]
if (!mysql_query($sql))
     {
       // SQL failed, print error message and abort
       print mysql_error();exit();
     }
however it still doesnt insert anything after an apostrophe in the fields. I am running this from my localhost. I.e Nottingham is sometimes shortened to Nott'ham, but all that would be entered to the database is Nott

Any ideas why?

Is it necessary to use mysql_real_escape_string() when I'm retrieving fields from a table that the user had no input on the result?

Such as if there was a template color that the admin set in the siteconfig table that the script selects automatically with no user input.

Cheers!