Codes for updating database in php
I suppose it means that my My SQL version is protected from sql injection because it operates the escape but the older My SQL fails to delete the \ when shown in the database or on a web page.
As I can't get my host to update my My SQL today, I've looked for an alternative.
$select_query = "SELECT * "; $select_query .= "FROM test "; $select_query .= "WHERE user_id = '$user_id'"; $check_user_id = mysqli_query($connection, $select_query); $query = "INSERT INTO test ("; $query .= " user_id, name, message"; $query .= ") VALUES ("; $query .= " '', '', ''"; $query .= ")"; $result = mysqli_query($connection, $query); if ($result) else However, when I use the following code with an if/else statement, it does not work anymore, although the console reports "Success!
$select_query = "SELECT * "; $select_query .= "FROM test "; $select_query .= "WHERE user_id = '$user_id'"; $check_user_id = mysqli_query($connection, $select_query); if (!
My code structure is totally different from your's.
I found that it either made an empty field if it was before the connection to the database, or when I put the variable inside the mysql section it created an error if a name or text had ' in it (which needs to be kept).
The mysql_real_escape_string() escapes those potentially malicious characters so they don't affect the query.
So I've used entities ENT_QUOTES instead of htmlspecialchars.
For example, say a person enters this into an input named "username": The extra quote in there will end the query early, and then adds an additional clause, meaning that the statement will always be true, so every single entry in the "customers" table would be selected by this statement.
Using this method, someone could insert and run additional code, even deleting tables or dropping the entire database.
Edit: here is an article discussing in more detail what I am talking about: Tutorial/You should add some validation to your script, as it stands in the sample code above is easily injectable.
I've been experimenting with mysql_real_escape_string() and found that it deletes all content in a field, so where I had $message = ($_POST['message']); in the php file to process a form I got an entry in a database but when I edited the form php to $message = mysql_real_escape_string($_POST['message']); it sent the form data to the database with all the other fields but the message field was empty.