[PHP-DOC] cvs: phpdoc /en/reference/mysql/functions mysql-real-escape-string.xml

[Etienne Kneuss]

colder          Thu Jan 18 20:36:11 2007 UTC

  Modified files:              
    /phpdoc/en/reference/mysql/functions        mysql-real-escape-string.xml 
  Log:
  improve the example of "best practice"
  
http://cvs.php.net/viewvc.cgi/phpdoc/en/reference/mysql/functions/mysql-real-escape-string.xml?r1=1.26&r2=1.27&diff_format=u
Index: phpdoc/en/reference/mysql/functions/mysql-real-escape-string.xml
diff -u phpdoc/en/reference/mysql/functions/mysql-real-escape-string.xml:1.26 
phpdoc/en/reference/mysql/functions/mysql-real-escape-string.xml:1.27
--- phpdoc/en/reference/mysql/functions/mysql-real-escape-string.xml:1.26       
Sat Mar 11 11:53:41 2006
+++ phpdoc/en/reference/mysql/functions/mysql-real-escape-string.xml    Thu Jan 
18 20:36:11 2007
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.26 $ -->
+<!-- $Revision: 1.27 $ -->
 <refentry id="function.mysql-real-escape-string">
  <refnamediv>
   <refname>mysql_real_escape_string</refname>
@@ -121,30 +121,44 @@
     <programlisting role="php">
 <![CDATA[
 <?php
-// Quote variable to make safe
-function quote_smart($value)
-{
-    // Stripslashes
-    if (get_magic_quotes_gpc()) {
-        $value = stripslashes($value);
-    }
-    // Quote if not a number or a numeric string
-    if (!is_numeric($value)) {
-        $value = "'" . mysql_real_escape_string($value) . "'";
-    }
-    return $value;
-}
 
-// Connect
-$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
-    OR die(mysql_error());
+if (isset($_POST['product_name']) && isset($_POST['product_description']) && 
isset($_POST['user_id'])) {
+    // Connect
 
-// Make a safe query
-$query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s",
-            quote_smart($_POST['username']),
-            quote_smart($_POST['password']));
+    $link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password');
 
-mysql_query($query);
+    if(!is_resource($link)) {
+
+        echo "Failed to connect to the server\n";
+        // ... log the error properly
+
+    } else {
+        
+        // Reverse magic_quotes_gpc effects on those vars if ON.
+
+        if(get_magic_quotes_gpc()) {
+            $product_name        = stripslashes($_POST['product_name']);
+            $product_description = stripslashes($_POST['product_description']);
+        } else {
+            $product_name        = $_POST['product_name'];
+            $product_description = $_POST['product_description'];
+        }
+
+        // Make a safe query
+        $query = sprintf("INSERT INTO products (`name`, `description`, 
`user_id`) VALUES ('%s', '%s', '%d')",
+                    mysql_real_escape_string($product_name, $link),
+                    mysql_real_escape_string($product_description, $link),
+                    $_POST['user_id']);
+
+        mysql_query($query, $link);
+
+        if (mysql_affected_rows($link) > 0) {
+            echo "Product inserted\n";
+        }
+    }
+} else {
+    echo "Fill the form properly\n";
+}
 ?>
 ]]>
     </programlisting>