[RESOLVED] mysql_real_escape_string usage

kostis12345

Hi,I want to secure my login and register script and I found some methods,after reading some articles I believe mysql_real_escape_string is the best.The problem is I'm stuck on how to use it and I'd like to get some examples(explained if possible).
Thanks in Advance

laserlight

kostis12345 wrote:
after reading some articles I believe mysql_real_escape_string is the best.

If you are using the MySQL extension and need to escape string input then yes, mysql_real_escape_string() is the best function to use.

kostis12345 wrote:
The problem is I'm stuck on how to use it and I'd like to get some examples(explained if possible).

Read the PHP manual's entry on [man]mysql_real_escape_string/man.

That said, I suggest the use of the PDO extension or the MySQLi extension instead of the MySQL extension. In such a case, prepared statements would be a generally better option.

kostis12345

Thanks a lot 😃

laserlight

You're welcome 🙂
Remember to mark this thread as resolved using the thread tools.

kostis12345

I read the stuff in the php manual but I have a question

In the fist example

<?php
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
    OR die(mysql_error());

// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));
?>

Here mysql_real_escape_string escapes $user and $password.I can't find where they are defined.Are they user='%s' and password='%s' ?

Thanks in advance

laserlight

Those are just example variables assumed to exist. In practice the variables might come from say, the $_POST superglobal array.

kostis12345

Ok,thanks a lot for helping