serverman Posted May 15, 2008 Share Posted May 15, 2008 ok ive been reading the mysql_real_escape but i dont get it... will some one please explane how to add it to my code and how it works (please and thank you) oh and the code is a little sloppy i did it my self and im a noob (like 6 months of looking at php and 1 of working with it) and if you have any tips on how to improve this please do share <?php //vars $login = mysql_connect("---","---","---"); $firstname = $_POST['firstname']; $comment = $_POST['comment']; $ip = getenv('REMOTE_ADDR'); //test if(!$firstname || !$comment ) { die("Fill the form properly!"); } //connect if (!$login) { die('Could not connect: ' . mysql_error()); } mysql_select_db("website_stuff", $login);$sql="INSERT INTO comment (FirstName, LastName, Email, Comment, Ip) VALUES('$_POST[firstname]','$_POST[lastname]','$_POST[email]','$_POST[comment]', '$ip')"; //query if (!mysql_query($sql,$login)) { die('Error: ' . mysql_error()); } // ending echo "Thank you for leaving a comment."."<a href='../../home.PHP'>Back to Home</a>"; mysql_close($login) ?> Quote Link to comment Share on other sites More sharing options...
LooieENG Posted May 15, 2008 Share Posted May 15, 2008 To use it, just do <?php $var = $_GET['var']; $var = mysql_real_escape_string($var); ?> And when you print the data <?php echo stripslashes($var); ?> Quote Link to comment Share on other sites More sharing options...
DeanWhitehouse Posted May 15, 2008 Share Posted May 15, 2008 mysql_connect does not need to be a vairable, just add or die after it and then the script won't work if it can't connect Quote Link to comment Share on other sites More sharing options...
MadTechie Posted May 15, 2008 Share Posted May 15, 2008 okay this is the line $sql="INSERT INTO comment (FirstName, LastName, Email, Comment, Ip) VALUES('$_POST[firstname]','$_POST[lastname]','$_POST[email]','$_POST[comment]', '$ip')"; change to $sql="INSERT INTO comment (FirstName, LastName, Email, Comment, Ip) VALUES('".mysql_real_escape($_POST['firstname'])."','".mysql_real_escape($_POST['lastname'])."','".mysql_real_escape($_POST['email'])."','".mysql_real_escape($_POST['comment'])."', '$ip')"; the reason, well read up on sql injection, but basically you are allowing anyone to control your whole database, that means anything you store in the database can be drop (removed) or updated (with anything of their choice) put it this way, heres your insert INSERT INTO comment (FirstName, LastName, Email, Comment, Ip) VALUES('$_POST[firstname]','$_POST[lastname]','$_POST[email]','$_POST[comment]', '$ip')" now lets say the first name was mad last name techie, email none@msn.com, and comment was nothing','0.0.0.0')-- looks weired i know but how will you code deal with it ? basically your code will give the comment nothing and the ip 0.0.0.0 why ? this is the resolved SQL statement INSERT INTO comment (FirstName, LastName, Email, Comment, Ip) VALUES('mad','techie','none@msn.com','nothing','0.0.0.0')--', '$ip') the -- comments out the statement after it so you endup with INSERT INTO comment (FirstName, LastName, Email, Comment, Ip) VALUES('mad','techie','none@msn.com','nothing','0.0.0.0') So yo add to your existing code <?php //vars $login = mysql_connect("---","---","---"); $firstname = $_POST['firstname']; $comment = $_POST['comment']; $ip = getenv('REMOTE_ADDR'); //test if(!$firstname || !$comment ) { die("Fill the form properly!"); } //connect if (!$login) { die('Could not connect: ' . mysql_error()); } /*--OLD mysql_select_db("website_stuff", $login);$sql="INSERT INTO comment (FirstName, LastName, Email, Comment, Ip) VALUES('$_POST[firstname]','$_POST[lastname]','$_POST[email]','$_POST[comment]', '$ip')"; */ mysql_select_db("website_stuff", $login); $sql="INSERT INTO comment (FirstName, LastName, Email, Comment, Ip) VALUES('".mysql_real_escape($_POST['firstname'])."','".mysql_real_escape($_POST['lastname'])."','".mysql_real_escape($_POST['email'])."','".mysql_real_escape($_POST['comment'])."', '$ip')"; //query if (!mysql_query($sql,$login)) { die('Error: ' . mysql_error()); } // ending echo "Thank you for leaving a comment."."<a href='../../home.PHP'>Back to Home</a>"; mysql_close($login) ?> Quote Link to comment Share on other sites More sharing options...
serverman Posted May 15, 2008 Author Share Posted May 15, 2008 thanks dude i that was alot of help i give you 2 tumbs up for taking the time to explain and not just show me how to do it thanks... php is sweet! Quote Link to comment Share on other sites More sharing options...
MadTechie Posted May 15, 2008 Share Posted May 15, 2008 your welcome, if this post is solved can you click solved, same other helpers having to read it all as a side note the injection can be worse ie dropping the table or on a login select * from users where username = '{$_POST['user']}' and password = '{$_POST['pass']}'; if the $_POST['user'] = admin' -- OR select * from users where password = '{$_POST['pass']}' and username = '{$_POST['user']}' ; if the $_POST['user'] = admin' OR username='admin'-- etc etc but i assume you get the idea Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.