i have this code, and for some reason, it puts in the exact value (including mysql_real...)
mysql_query("INSERT INTO members (username) VALUES ('mysql_real_escape_string($uname)')"); how do I rewrite this so I don't have this issue?
Add a comment |
2 Answers
mysql_real_escape_string is a PHP function, not a MySQL function.
$value = mysql_real_escape_string($uname); mysql_query("INSERT INTO members (username) VALUES ('$value')"); UPDATE: Inline mysql_real_escape_string
mysql_query("INSERT INTO members (username) VALUES ('".mysql_real_escape_string($uname)."')");
You could also use a prepared statement, where PDO takes care of escaping for whatever database it works with (not just MySQL):
$stmt = $dbh->prepare("INSERT INTO members (username) VALUES (:username)"); // either: $stmt->bindParam(':username', $uname); $stmt->execute(); // or as Corbin pointed out in the comments: $stmt->execute(array('username' => $uname)) 
3 Comments
Corbin
Unless I've just never seen that syntax before, you missed the () around :username. And it's also worth noting that he could just do $stmt->execute(array('username' => $uname)) in this example.
David
PDO has an issue where it spits out the password when you are doing error reporting. Also I think it might be difficult for someone new to pick up.
Philipp Reichart
I'm sure error reporting can be configured. If the database server is configured correctly, it won't allow connections from external IPs and the password isn't of much use anyway. Prepare statements also protect better than mysql_real_escape_string against XSS.