0

I have a question about parse_str and mysql_real_String. Can I do like that and will effect all parameters from form?

 $post_data =  mysql_real_escape_string($_post['form']);
  parse_str($post_data,$query)
  print_r($query)
  INSERT INTO xyz(id,name) VALUES(1,$query['name'])

Or

parse_str($_POST['form'],$query)
INSERT INTO xyz(id,name) VALUES(1,$query['name'])
print_r($query)

So the question is if mysql_real_escape_String effect all POST params of $_post['form'] or I have to explicitly in SQL make that statement?.

Improve this question
3
  • Better approach would be to use prepared statements all together ... Commented Apr 13, 2015 at 6:45
  • 1
    Assuming you meant $_POST instead of $_post, why would you be submitting form values with url encoded data? Commented Apr 13, 2015 at 6:55
  • Please stop trying to come up with clever new ways of escaping data, that's exactly how security vulnerabilities are made. Escaping each individual string is tedious and boring, but it's the correct way to go. (...as a distant second choice after using prepared statements obviously.) Commented Apr 13, 2015 at 7:06

1 Answer 1

Reset to default
2

parse_str and mysql_real_escape_string work with different encodings. parse_str decodes the percent-encoding, which is not recognized by mysql_real_escape_string:

$_post['form'] = 'name='.rawurlencode('\'"\\');
$post_data =  mysql_real_escape_string($_post['form']);
parse_str($post_data, $query);
echo $query['name'];  // output: '"\

You need to apply the encodings in the right order. mysql_real_escape_string must always come just right before putting the value into the MySQL string literal.

As always, passing the values as parameters as provided by prepared statements would be the better solution.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I apreciate your answer. Thank you.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.