Jump to content

blank Form Submission and Mysql_real_escape_string

Xzalious

By Xzalious
in PHP Coding Help

Recommended Posts

Xzalious Newbie

Xzalious

Posted
Posted

Question #1:

 

I've read up about mysql injection and so i read the php.net manual about mysql_real_escape_string and so i used one of the sample codes and edited it to fit my database but whenever i try and use the query below it comes out "1 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'xzalious\' AND Password = \'42eca585b71a2ebdd887f65a85c2d2e8\'' at line 1" so i was wondering if anyone would be able to explain it more and maybe provide an example how to use it with SELECT for a login page and INSERT for a register page.

 

$query = "SELECT ID, Username, Active, Password FROM users WHERE Username = '".$user."' AND Password = '".md5($pass)."'";
$query = mysql_real_escape_string($query);
$result = mysql_query($query) or die("1 ".mysql_error());

 

Question #2:

 

When i travel to my register.php file, enter my information to be entered into the database and click the submit image or text it reloads with no $error display, a blank form and no data in the table so i've come here asking if anyone can shed some light on the matter that i'm just not seeing, any help is appreciated for both questions.

 

<?php
include('lib/opendb.php');

// Start session lol
session_start()

//If i suck, tell me why 
error_reporting(E_ALL);
ini_set('display_errors', 'on');

//  1 - Maintenance in progress
//  0 - No maintenace underway
$maintenance = 1;

// Configure members.php to $_GET time and date
// and make login.php change time/date value 

// If this is True, the user has hit the Register image or text
    if ( array_key_exists ( '_submit_check', $_POST ) )
    {
    	if ( $maintenance == 0 )
	{
		// Calculate Australian date user is registering on
		$hourdiff = "14";
		$r_date = date("l jS \of F Y",time() + ($hourdiff * 3600));

		// Store the information of the visitor
		$r_user = $_POST['r_username'];
		$r_epass = $_POST['r_epassword'];
		$r_cpass = $_POST['r_cpassword'];
		$r_eemail = $_POST['r_eemail'];
		$r_cemail = $_POST['r_cemail'];

		// Calculate the random key that activates a user
		$r_rankey = '';
		$pool = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
		for ( $i=0; $i < 32; $i++ )
		{
			$r_rankey .= substr ( $pool, mt_rand ( 0, strlen ( $pool ) -1 ), 1 );
		}

		// If the required fields are empty, tell the visitor
		if ( $r_user != '' && $r_epass != '' && $r_eemail )
		{
			// Make sure the confirm fields match, otherwise tell the visitor
			if ( $r_cpass == $r_epass && $r_cemail == $r_eemail )
			{
				// Check the email the visitor gave us for validity
				if ( ! preg_match ("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $r_eemail) == TRUE )
				{
					// Set up the query to check if the username or email exist
					$checkquery = "SELECT `username`, `email` FROM `users` WHERE `username` = '".$r_user."' AND `email` = '".$r_eemail."'";
					//$checkquery = mysql_real_escape_string($checkquery);
					$checkresult = mysql_query($checkquery) or die("1 ".mysql_error());

					// Zero results means the username and email are not in the
					// database so the visitor can use them as their login info 
					if (mysql_num_rows($checkresult) == 0 or die("2 ".mysql_error()))
					{
						// Enter the unique information into the database
						$registerquery = "INSERT INTO `users` (`username`, `password`, `email`, `date_registered`, `random_key`) ";
						$registerquery .= "VALUES ('".$r_user."' , '".$r_epass."' , '".$r_eemail."' , '".$r_date."' , '".$r_rankey."' )'";
						//$registerquery = mysql_real_escape_string($registerquery);
						$registerresult = mysql_query($registerquery) or die("3 ".mysql_error());

						// Setup Email information to assist in successfull process
						$fromEmail = "[email protected]";					// Sender's Email address
						$fromDomain = "Xzaliouses Database";				// Domain's name
						$subject = "Activation for Xzaliouses Database";	// Subject, duh?
						$bodyhtml = "Hello, ".$r_user.". <br /> Your account was successfully register into our database but has not been activated yet ";
						$bodyhtml .= ', to activate use this link: <br /><a href="http://xzalious.net46.net/database/login.php?activate='.$r_user.'&ID='.$r_rankey.'">';
						$bodyhtml .= 'http://xzalious.net46.net/database/login.php?activate='.$r_user.'&ID='.$r_rankey.'</a><br />Thank you for visiting Xzaliouses Database';

						// Correct the html in the email
						$search = array("'<script[^>]*?>.*?</script>'si","'<[\/\!]*?[^<>]*?>'si","'([\r\n])[\s]+'","'@<![\s\S]*?–[ \t\n\r]*>@'","'&(quot|#34|#034|#x22);'i",
										"'&(amp|#38|#038|#x26);'i","'&(lt|#60|#060|#x3c);'i","'&(gt|#62|#062|#x3e);'i","'&(nbsp|#160|#xa0);'i","'&(iexcl|#161);'i",
										"'&(cent|#162);'i","'&(pound|#163);'i","'&(copy|#169);'i","'&(reg|#174);'i","'&(deg|#176);'i","'&(#39|#039|#x27);'",
										"'&(euro|#8364);'i","'&a(uml|UML);'","'&o(uml|UML);'","'&u(uml|UML);'","'&A(uml|UML);'","'&O(uml|UML);'","'&U(uml|UML);'",
										"'ß'i",);

						$replace = array("",""," ","\"","&","<",">"," ",chr(161),chr(162),chr(163),chr(169),chr(174),chr(176),chr(39),chr(128),"ä","ö","ü","Ä","Ö","Ü","ß",);

						$body = preg_replace($search,$replace,$bodyhtml);

						// Send them an email with the random key for use with activation
						$mail = new PHPMailer();

						$mail->From = $fromEmail;
						$mail->FromName = $fromDomain;
						$mail->AddAddress( $r_eemail );
						$mail->AddReplyTo ( $fromEmail, $fromDomain );
						$mail->Subject = $subject;
						$mail->Body = $body;
						$mail->WordWrap = 100;
						$mail->IsHTML ( TRUE );
						$mail->AltBody  =  $body;
					}
				} else {
					// Email address was not valid
					$error = 'Please provide a valid email, or you will not be able to activate your account.';
				}
			} else {
				// Confirm fields did not match their respective fields
				$error = 'Make sure both password and email fields match each other before trying again.';
			}
		} else {
			// One or more of the required fields were left empty
			$error = 'All fields are required, make sure you have filled all fields and try again.';
		}
	} else {
		// Maintenance is underway
		$error = 'Registration is currently under maintenance, please wait before trying to register again.';
	}
}

include('lib/closedb.php');
?>

 

Form that the info is entered into:

 

        <form class="form" action="<?=$_SERVER['PHP_SELF']?>" method="post">
        <table>
          <tr>
            <td width="36"></td>
            <td width="205">
            	<input type="hidden" name"_submit_check" value="1"/>
                Username:
                <br />
			<input class="input" type="text" name="r_username" id="r_usernane" size="25" maxlength="40" value="" />
                <br />
                Password:
                <br />
			<input class="input" type="password" name="r_epassword" id="r_epassword" size="25" maxlength="32" />
                <br />
                Confirm Password:
                <br />
                <input class="input" type="password" name="r_cpassword" id="r_cpassword" size="25" maxlength="32" />
                <br />
                Email:
                <br />
                <input class="input" type="text" name="r_eemail" id="r_eemail" size="25" maxlength="40" value="" />
                <br />
                Confirm Email:
                <br />
                <input class="input" type="text" name="r_cemail" id="r_cemail" size="25" maxlength="40" value="" />
        	</td>
            <td width="79"><input name="Registerimg" type="image" src="images/register.png" title="submit" value="Register" alt="register" /></td>
            <td width="195">
            	<input name="Register" type="image" src="images/registertext.png" value="Register" width="59" height="16" />
                <br />
                Publish your information into the database for use as your account.
            </td>
          </tr>
        </table>
        </form>

mbeals Member

mbeals

Posted
Posted

When you escape the entire query string, you are escaping needed single quotes, hence the error '\'xzalious\'

 

try this:


$query = "SELECT ID, Username, Active, Password FROM users WHERE Username = '".mysql_real_escape_string($user)."' AND Password = '".md5($pass)."'";
$result = mysql_query($query) or die("1 ".mysql_error());

 

 

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.