I'm using mysql_real_escape_string() to secure user input and I'm not receiving any errors when I run the function. How can I tell that the function is working? Here is the code that I'm using:<br /><br /><div class='codetop'>CODE</div><div class='codemain' style='height:200px;white-space
re;overflow:auto'>$username = "<script>testing</script>";<br />$password = "kyle's test";<br /><br />$conn = mysql_connect(dbhost, dbuser, dbpass);<br /><br />$query = sprintf("INSERT INTO Test (username, password) VALUES ('%s', '%s')",<br /> mysql_real_escape_string($username, $conn),<br /> mysql_real_escape_string($password), $conn);<br /><br /> mysql_query($query, $conn);<br /></div><br /><br />When I view the information in my database, the input shows exactly as it is entered in the script above. I thought that the mysql_real_escape_string() function would prevent the <script> tags from being entered. Am I wrong?<br /><br />I know there are other functions to strip tags from user input, but I thought the mysql_real_escape_string() function would also handle this.<br /><br />Any ideas, thoughts, help is appreciated. Thanks.<!--content-->
No, mysql_real_escape_string() is used to guard against SQL injection attacks. It doesn't care about any HTML that may be contained in the string. Something like strip_tags() can be used to remove HTML tags (but won't escape quotes, etc. that are used in SQL injection.)<!--content-->
Ok, thanks click. I'll just make sure that the input that I am accepting is limited to certain numbers and characters.<!--content-->
re;overflow:auto'>$username = "<script>testing</script>";<br />$password = "kyle's test";<br /><br />$conn = mysql_connect(dbhost, dbuser, dbpass);<br /><br />$query = sprintf("INSERT INTO Test (username, password) VALUES ('%s', '%s')",<br /> mysql_real_escape_string($username, $conn),<br /> mysql_real_escape_string($password), $conn);<br /><br /> mysql_query($query, $conn);<br /></div><br /><br />When I view the information in my database, the input shows exactly as it is entered in the script above. I thought that the mysql_real_escape_string() function would prevent the <script> tags from being entered. Am I wrong?<br /><br />I know there are other functions to strip tags from user input, but I thought the mysql_real_escape_string() function would also handle this.<br /><br />Any ideas, thoughts, help is appreciated. Thanks.<!--content-->No, mysql_real_escape_string() is used to guard against SQL injection attacks. It doesn't care about any HTML that may be contained in the string. Something like strip_tags() can be used to remove HTML tags (but won't escape quotes, etc. that are used in SQL injection.)<!--content-->
Ok, thanks click. I'll just make sure that the input that I am accepting is limited to certain numbers and characters.<!--content-->