1

Currently I got this: 

$password = mysql_real_escape_string($_POST['password']);

and then I check the password with this:

$password_q = mysql_query ("SELECT password FROM ppl WHERE email='$email'"); 
            $password_result = mysql_result ($password_q, 0);
            if (!password_verify($password, $password_result)) {
            $error = 'Wrong password.'; } else {

Is there any need to use mysql_real_escape_string here or should I remove it? This is the only place in the code where $password variable is used.

I should have mentioned that I'm stuck with using the older MySQL API.

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Saul Tigh
  • 177
  • 8
  • 2
    Remember [this comment](http://stackoverflow.com/questions/36772695/where-should-i-place-mysql-real-escape-string#comment61123350_36772695) in your other question? ;-) **A:**. Don't. – Funk Forty Niner Apr 22 '16 at 11:54
  • @Fred-ii- YEAH, I actually already started using it thanks to you, I got this: else if (filter_var($email, FILTER_VALIDATE_EMAIL) === false) { $error = "Are you trying to hack my website?"; Though I still not sure if I can completely remove musql_real_escape – Saul Tigh Apr 22 '16 at 11:56
  • 2
    Personally, seeing the 2 answers given so far, don't explain why you shouldn't. This Q&A does http://stackoverflow.com/questions/36628418/cleansing-user-passwords and is probably a possible duplicate. Oh, and you're welcome. – Funk Forty Niner Apr 22 '16 at 11:59
  • 1
    For example. If your password contains a `$` sign, everything following it, will be ignored/thrown out. – Funk Forty Niner Apr 22 '16 at 12:02
  • 1
    I'm curious though. You stated in another question that you were stuck with using the MySQL_ API. `password_verify()` is used with PHP 5.5, so why not use the MySQLi_ or PDO API? That way, you could use prepared statements. – Funk Forty Niner Apr 22 '16 at 12:03
  • @Fred-ii- well because all web pages are already written in mysql. As far as I know, I shouldn't mix PDO with Mysql on the same web page? Or should I? – Saul Tigh Apr 22 '16 at 12:06
  • 1
    IIRC @Fred-ii- I think it was more of a stylistic choice. Even though capable, the remainder of the OP's website is written using the old API. I believe the OP see's the change as a departure from the overall architecture even if the code would be isolated to this particular set of functions. – Jay Blanchard Apr 22 '16 at 12:06
  • 2
    Ah ok. Well, you can't mix those APIs in the same run, no. Edit: @JayBlanchard just gave you a better explanation. ;-) For example: You can't connect with the PDO API and query with MySQL_ using the connection variable from the PDO connection. Consult the following on Stack http://stackoverflow.com/questions/17498216/can-i-mix-mysql-apis-in-php – Funk Forty Niner Apr 22 '16 at 12:06

2 Answers2

0

There is no need since you (hopefully) aren't passing the password to your MySQL request, because mysql_real_escape_string is made to escape special characters from SQL requests arguments.

mysql_real_escape_string — Escapes special characters in a string for use in an SQL statement

Aurel
  • 631
  • 3
  • 18
0

You won't need to escape it since the password isn't passed through MySQL.

Escaping is used to prevent SQL-injection. There won't be SQL-injection since it's done BEFORE the query.

mysqli_real_escape_string()

This function is used to create a legal SQL string that you can use in an SQL statement. The given string is encoded to an escaped SQL string, taking into account the current character set of the connection.

Panda
  • 6,955
  • 6
  • 40
  • 55