Escaping invalid characters in php

In this tutorial. I’m going to show you how you can escape all invalid characters in php. This will be useful when you are writing an application which connects and manipulates a database. For example, a mysql database wherein you perform insert, update, delete queries.

 

Why escape invalid characters?

Simple, since not every character that you can type using your keyboard can be valid when performing queries. As an example, try opening up phpmyadmin and perform the query below on the database of your choice:

SELECT * FROM table_name where field_name='dog's'

Note: substitute the table_name and field_name with the corresponding table name and field name that you are querying.

Next thing you will see is this nasty error:

#1064 – You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘s” at line 1

You can now imagine what will happen if you just did something like this in your code:

<?php include_once('connection.php'); $uname=$_POST['uname']; $pword=$_POST['pword']; mysql_query("INSERT INTO users(Username, Password)

VALUES('$uname','$pword')"); ?>

You’ll get the same nasty error. If the user inputs an invalid character in the form.

Here are some of the ways on how to avoid invalid characters from getting to your queries. These can also be used to avoid sql injections and other nasty attacks. But don’t take my word for it. Research on ways on how to avoid sql injections if you want to make your application more secured.

 

mysql_real_escape_string()

Use the built in php function to sanitize user input:

$userinfor=array($_POST['uname'], md5($_POST['pword'])); $newvalue=array(); foreach($userinfor as $key=>$value){ $newvalue[$key]=mysql_real_escape_string($value); } $uname=$newvalue[0]; $pword=$newvalue[1]; $db->query("INSERT INTO users(Username, Password)

VALUES('$uname','$pword')");

Note: the code for executing the query is a bit different because I’m using a php class called ezsql. As the name implies, it’s a class used to easily manipulate database which uses the standard query language to manipulate their database.

If the code above didn’t work for you, then you can always do it like this:

$uname=mysql_real_escape_string($_POST['uname']); $pword==mysql_real_escape_string($_POST['pword']); $db->query("INSERT INTO users(Uname, Hpword)

VALUES('$uname','$pword')");

 

PDO’s

You can also use pdo’s in php. Don’t ask me what’s the meaning of pdo. Because I can’t find anything on the internet what pdo means. So if you know what it means then please leave a comment.

To keep things short, I use pdo to automatically sanitize user input without having to write any functions that will handle it.

PDO is a built in class in php, so you don’t have to download anything if you already have php installed on your computer.

Begin by creating an object of the pdo class:

$pdo=new pdo("

mysql:host=localhost;

dbname=testdb",

"root",

"yourmysqlpassword");

As I have always said the defaults are:

  • localhost -this is your local computer. This is the default for the host.
  • testdb -the database that you want to manipulate.
  • root- the default user. You can leave it as it is.
  • yourpassword- yeah this is your mysql password. Most of the time this is blank.
     

Then here’s an example on how to insert records in the database using pdo:

$inserts=$dbh->prepare('INSERT INTO testtable(LNAME, FNAME)

VALUES(:fname, :lname)'); $inserts->bindParam(':fname', $fname); $inserts->bindParam(':lname', $lname); $fname=$_POST['fname']; $lname=$_POST['lname']; $inserts->execute();

There’s an extensive tutorial  on how to use pdo’s. You might want to read it if you want to learn more about pdo’s.

And an article on why you should be using pdo’s

 

Conclusion

What you have just red are some of the ways that you can sanitize user input to avoid any error when performing sql queries. Knowing and applying these things into your future projects will make the data in your database more reliable. And as you can see on the pdo example, it will also make your code cleaner as you implement classes in your application.

2 thoughts on “Escaping invalid characters in php

  1. Pingback: Introduction to premium tutorials « Data Integrated Entity

  2. Just a word for PDOs.
    http://php.net/manual/en/book.pdo.php
    And an extract from one of the sites you’ve given us:
    “What is PDO.

    PDO is a PHP extension to formalise PHP’s database connections by creating a uniform interface. This allows developers to create code which is portable across many databases and platforms. PDO is _not_ just another abstraction layer like PearDB although PearDB may use PDO as a backend. Those of you familiar with Perls DBI may find the syntax disturbingly familiar.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s