Comments on: Creating a PHP CMS – Part 3

By: Eric Bannatyne

Eric Bannatyne — Fri, 27 Aug 2010 17:43:17 +0000

If you're getting errors with mysql_real_escape_string, that probably means that there is a problem with your connection to the MySQL database. Remember: When inserting data into a database using these methods it is always crucial to sanitize your inputs using mysql_real_escape_string, doing otherwise would be a huge security risk (See the SQL injection section of Hack Your Own Site. That article also mentions using prepared statements, a "newer" way of doing this, which is not mentioned in this article.

By: cathy

cathy — Fri, 27 Aug 2010 13:21:20 +0000

I have tried this code, initially i got errors refering to "mysql_real_escape_string" I decideed to remove this and just use "$title = $_GET['title'];". I now hav enoerrors but the data is not saving, Am I doin fsomething wrong?

By: Eric Bannatyne

Eric Bannatyne — Thu, 20 Aug 2009 03:07:25 +0000

Kabarovsky: This is probably not the case, but you can try making sure that the value of the 'name' attributes in your form fields match your $_POST values.

By: Eric Bannatyne

Eric Bannatyne — Wed, 19 Aug 2009 01:52:24 +0000

The quotes are really mostly extra protection, just in case... :P

By: Hua Chen

Hua Chen — Wed, 19 Aug 2009 01:37:31 +0000

I also afraid of SQL injection, but didn't mysql_real_escape_string has already prevent it? Can you help me Google it in Google English or ask your friends about it? Thanks!

By: Eric Bannatyne

Eric Bannatyne — Tue, 18 Aug 2009 16:26:12 +0000

Hua Chen: There are some speed differences. I think that the quotes may also help to prevent SQL injection, but I'm not completely sure.

By: Hua Chen

Hua Chen — Tue, 18 Aug 2009 16:14:04 +0000

I have compared the speed of these two, the one with single quotes took double the time to the one without single quotes. I also write a blog post about that:http://blog.huachen.me/php-sql-quote-string . But I just don't know why should always add that?

By: Eric Bannatyne

Eric Bannatyne — Tue, 18 Aug 2009 15:45:00 +0000

Kabarovsky: This may have something to do with your database configuration. I don't have access to your DB, so I'm not sure what the problem could be.

Hua Chen: I guess it's just what I'm used to, like how I always use quotes around the values of HTML attributes.

By: Hua Chen

Hua Chen — Tue, 18 Aug 2009 13:45:28 +0000

A question for you: Why you add the single quotes in the SQL query string: mysql_query("INSERT INTO pages (title, body, date) VALUES ('$title', '$body', '$date')"); ? If you delete these single quotes, it will also work well. Can you tell me why? Thanks!

By: Hua Chen

Hua Chen — Tue, 18 Aug 2009 13:41:36 +0000

Very well using mysql_real_escape_string, it is very important!
But you miss a small thing, you forget to set the default timezone when using time() function.
If you know Chinese, you can have a look at my blog post: http://blog.huachen.me/php-beijing-time, but if you don't know Chinese, you can also search the php function date_default_timezone_set() for answer! ^_^